redefining research: vulnerability journalism

[J Roger <securityhocus () gmail com>]

Discovered a security flaw in a production system you had no authority or
permission to audit? Afraid to disclose the information for fear of
prosecution? Don't stress too much, you have some protection if you redefine
yourself as a "vulnerability journalist"

According to a recent Wired article on the "stolen" Apple iphone fiasco,

The federal Privacy Protection Act prohibits the government from seizing
> materials from journalists and others who possess material for the purpose
> of communicating to the public. The government cannot seize material from
> the journalist even if it’s investigating whether the person who possesses
> the material committed a crime.
>
> Instead, investigators need to obtain a subpoena, which would allow the
> reporter or media outlet to challenge the request and segregate information
> that is not relevant to the investigation.
Perhaps the "journalist" title isn't even necessary thanks to the "and
others" bit there but it also couldn't hurt, besides it sounds kind of cool
right. Now this of course doesn't imply that you can't be prosecuted for a
crime, just that they can only use subpoenas and not warrants. Naturally,
being a ethical and moral vulnerability journalist you would never rm any
incriminating evidence as part of the process to "segregate information that
is not relevant to the investigation."

Out: Narcissistic Vulnerability Pimp
In: Vulnerability Journalist

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/