Re: Disclosure of vulns and its legal aspects...

[Sat Jagat Singh <flyingdervish () yahoo com>]

IMHO, I would consider probing random web sites for
security vulnerabilities as ethically questionable at
best.  To then promote yourself to the site owner
through what sounds like a veiled threat definitely
crosses the line.  No wonder companies reject those
kinds of demands.  If they are smart, they might turn
around and hire someone with a solid reputation to
hunt down the vulnerability.

In the U.S. there are no clear laws about conducting
this type of research; and so the chance of
prosecution is pretty low, but I wouldn't be surprised
at getting hit with a civil lawsuit.

As I understand the laws in the UK (definitely not my
sphere), you could be (and others have been) jailed
for the activity you've already conducted; making the
point that many people consider this activity not only
unethical, but criminal (kind of overboard, I think).

If you are just concerned about their security, I
would send an anonymous email and then forget about
it.  By no means should you publicize such a
vulnerability until you have disclosed it to the site
owner.
--- Dark Cold Ice <darkcoldice () gmail com> wrote:

> Hi all,
>
> It was earlier today whilst testing some websites as
> a personal
> research/leisure time that i found a quite critical
> bug in a major
> computer related website which will not be
> disclosured until all the
> legal aspects of the disclosure process itself are
> dealt with.
> After detecting the aforementioned vulnerability i
> was, like many have
> been before, "jailed" between the decisions of
> reporting it or not, it
> didn't take me long to decide to report it to the
> vendor as the flaw
> itself was on it's website... My first step and only
> one so far was to
> write the vendor the typical "praxis" e-mail saying
> that there MIGHT
> be a vulnerability SOMEWHERE on their website and
> that i would like
> carte blanche to investigate a bit more about it. I
> am now stuck with
> 3 thoughts, first of all, if the answer is no ( most
> common perhaps)
> the vendor will be losing its chance to know where
> and what flaw is
> it... will i be stuck with that and not be able to
> publicize it to the
> security community?
> Second thought, if the vendor says yes, i will
> report them the
> vulnerability but, what entitles me the right to do
> it legally... a
> simple e-mail would be enough perhaps...
> Third and last thought, if they indeed agree to give
> me the chance to
> test and report them the vulnerability i will only
> be entitled to
> publicize it once solved, but even then, will it be
> legal to make a
> full disclosure?
>
> Thank you all in advance,
>
> Darkcoldice
>
> PS: What would the difference be between the US and
> UK laws on that
> final aspect?
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
------------------------------------------------------------------------
>



       
____________________________________________________________________________________Get the Yahoo! toolbar and be 
alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------