Home » Data Protection » Application Security

Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

By early November last year, the number of vulnerable sites posted reached 1,000, many discovered by RSnake himself. His signature on his posts reads "RSnake—Gotta love it." It connotes an aloofness that permeates the discussion thread, as if finding XSS vulnerabilities were too easy. It's fun but hardly professionally interesting, like Tom Brady playing flag football.

Clearly, this is not responsible disclosure by the standards shrink-wrapped software has come to be judged, but RSnake doesn't think responsible disclosure, even if it were somehow developed for Web vulnerabilities (and we've already seen how hard that will be, technically), can work. For one, he says, he'd be spending all day filling out vulnerability reports. But more to the point, "If I went out of my way to tell them they're vulnerable, they may or may not fix it, and, most importantly, the public doesn't get that this is a big problem."

Discovery Is (Not?) a Crime

RSnake is not alone in his skepticism over proper channels being used for something like XSS vulnerabilities. Wysopal himself says that responsible disclosure guidelines, ones he helped develop, "don't apply at all with Web vulnerabilities." Implicit in his and Christey's process was the idea that the person disclosing the vulnerabilities was entitled to discover them in the first place, that the software was theirs to inspect. (Even on your own software, the end user license agreement—EULA—and the Digital Millennium Copyright Act—DMCA—limit what you can do with/to it). The seemingly endless string of websites RSnake and the small band of hackers had outed were not theirs to audit.

Disclosing the XSS vulnerabilities on those websites was implicitly confessing to having discovered that vulnerability. Posting the exploit code—no matter how innocuous—was definitive proof of discovery. That, it turns out, might be illegal.

No one knows for sure yet if it is, but how the law develops will determine whether vulnerability research will get back on track or devolve into the unorganized bazaar that it once was and that RSnake's discussion board hints it could be.

The case law in this space is sparse, but one of the few recent cases that address vulnerability discovery is not encouraging. A man named Eric McCarty, after allegedly being denied admission to the University of Southern California, hacked the online admission system, copied seven records from the database and mailed the information under a pseudonym to a security news website. The website notified the university and subsequently published information about the vulnerability. McCarty made little attempt to cover his tracks and even blogged about the hack. Soon enough, he was charged with a crime. The case is somewhat addled, says Jennifer Granick, a prominent lawyer in the vulnerability disclosure field and executive director at Stanford's Center for Internet and Society. "The prosecutor argued that it's because he copied the data and sent it to an unauthorized person that he's being charged," says Granick, "but copying data isn't illegal. So you're prosecuting for unauthorized testing of the system"—what any Web vulnerability discoverer is doing—"but you're motivated by what they did with the information. It's kind of scary."