Ethics and legality regarding reporting online holes in security software

lifeandtimes

Hi,

I have a question maybe someone can advise.

All hypothetical.

Say a person discovers through a flaw in a company's security software which if explored may cause issues for said company.

This person advised the company that they have discovered this and of said company pays them they will confirm what it is and advise how to fix it.

Is this part in anyway against the Law? I wouldn't believe so.

Next part is say company refuse to pay and this person does not advise them is this persona liable for anything that happens here on out for not advising the company of what the issue is.

All hypothetical but in curious in this age of online security how it would pan out

GerardKeating

lifeandtimes wrote: »

Hi,

I have a question maybe someone can advise.

All hypothetical.

Say a person discovers through a flaw in a company's security software which if explored may cause issues for said company.

This person advised the company that they have discovered this and of said company pays them they will confirm what it is and advise how to fix it.

Is this part in anyway against the Law? I wouldn't believe so.

Next part is say company refuse to pay and this person does not advise them is this persona liable for anything that happens here on out for not advising the company of what the issue is.

All hypothetical but in curious in this age of online security how it would pan out

It can all depend on how something is worded, a bit like the difference between tax evasion and tax avoidance, for example one of the statements below is not a crime.

• There is a hole in your security, give me One million Euro or I tell the world
• There is a hole in your security, give me One million Euro and I will fix it for you.

Manach

While this might not directly address the OPs question, it is based on IT security training and readings of IT law books.

There are levels of entry allowed on IT systems, just as in their real world analogues. There are also different actors, such as customers to a site or people hired to provide security. So there would likely be no issues in highlighting problems in an area where the general public are allowed to be - eg a landing page but an area like the Database backend can be distinguished as viewing the code there would have entailed a measure of tresspass to reach that area.

Finally, there are some companies that do have the practice of paying bounties for code errors/security leaks - they would seem to have the better model than those just ignoring such issues.

scamalert

above poster has a fair point about how the vulnerability was found, if it was by some random analyzing/debugging at home -then yeah go for bounty approach, if it was inside company just report fix issue, or if its software developer code issue you'd better luck contacting them.

that said dont think any company would be willing to pay out,unless its massive company and you found some 0 day exploit,and not some mis-config chances are slim anyone would pay you.If its software then you would have some credit at very least.

And if smth were to happen because of it, all again depends were you working there,or provided someone with inside info if both are no, then not your problem.

Since most people go with approach to report it,if theres any payout or credit its usually up to the party to decide .