Home » Data Protection » Application Security

Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

Two cases in a similar vein preceded McCarty's. One was acquitted in less than half an hour, Granick says; in the other, prosecutors managed to convict the hacker, but, in a strange twist, they dropped the conviction on appeal (Granick represented the defendant on the appeal). In the USC case, though, McCarty pleaded guilty to unauthorized access. Granick calls this "terrible and detrimental."

"Law says you can't access computers without permission," she explains. "Permission on a website is implied. So far, we've relied on that. The Internet couldn't work if you had to get permission every time you wanted to access something. But what if you're using a website in a way that's possible but that the owner didn't intend? The question is whether the law prohibits you from exploring all the ways a website works," including through vulnerabilities.

Granick would like to see a rule established that states it's not illegal to report truthful information about a website vulnerability, when that information is gleaned from taking the steps necessary to find the vulnerability, in other words, benevolently exploiting it. "Reporting how a website works has to be different than attacking a website," she says. "Without it, you encourage bad disclosure, or people won't do it at all because they're afraid of the consequences." Already many researchers, including Meunier at Purdue, have come to view a request for a researchers' proof-of-concept exploit code as a potentially aggressive tactic. Handing it over, Meunier says, is a bad idea because it's proof that you've explored the website in a way the person you're giving the code to did not intend. The victim you're trying to help could submit that as Exhibit A in a criminal trial against you.

RSnake says he thought about these issues before he started his discussion thread. "I went back and forth personally," he says. "Frankly, I don't think it's really illegal. I have no interest in exploiting the Web." As for others on the discussion board "everyone on my board, I believe, is nonmalicious." But he acknowledges that the specter of illegality and the uncertainty surrounding Web vulnerability disclosure are driving some researchers away and driving others, just as Granick predicted, to try to disclose anonymously or through back channels, which he says is unfortunate. "We're like a security lab. Trying to shut us down is the exact wrong response. It doesn't make the problem go away. If anything, it makes it worse. What we're doing is not meant to hurt companies. It's meant to make them protect themselves. I'm a consumer advocate."