From Dark Reading,
What if a Web researcher found a bug on your Website today — but was too afraid of the law to tell you?
The Computer Security Institute (CSI) recently formed a working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents to explore the effects of laws that might hinder Web 2.0 vulnerability research. And the CSI group’s first report — which it will present on Monday at CSI’s NetSec conference in Scottsdale, Ariz. — has some chilling findings.
In the report, some Web researchers say that even if they find a bug accidentally on a site, they are hesitant to disclose it to the Website’s owner for fear of prosecution. “This opinion grew stronger the more they learned during dialogue with working group members from the Department of Justice,” the report says.
That revelation is unnerving to Jeremiah Grossman, CTO and founder of WhiteHat Security and a member of the working group. “That means only people that are on the side of the consumer are being silenced for fear of prosecution,” and not the bad guys.
There has been more than one occasion where I have discovered a bug on a website but, I was not willing to come forward and let them know. There was a time when folks were glad for the help. In this day and age you never can be too sure. And I have to be honest, I don’t ever want to find out the hard way.
[tags]Law, Legal, Security Research[/tags]
Dave:
The report does not cover how a security professional can minimize legal risk by notifying people in advance, before he undertakes an aggressive security probe or action.
–Ben Wright, hack-igations.com