Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Ethics and legality regarding reporting online holes in security software

  • 23-06-2017 10:39am
    #1
    Closed Accounts Posts: 2,021 ✭✭✭


    Hi,

    I have a question maybe someone can advise.

    All hypothetical.

    Say a person discovers through a flaw in a company's security software which if explored may cause issues for said company.

    This person advised the company that they have discovered this and of said company pays them they will confirm what it is and advise how to fix it.

    Is this part in anyway against the Law? I wouldn't believe so.

    Next part is say company refuse to pay and this person does not advise them is this persona liable for anything that happens here on out for not advising the company of what the issue is.

    All hypothetical but in curious in this age of online security how it would pan out


Comments

  • Registered Users, Registered Users 2 Posts: 7,806 ✭✭✭GerardKeating


    Hi,

    I have a question maybe someone can advise.

    All hypothetical.

    Say a person discovers through a flaw in a company's security software which if explored may cause issues for said company.

    This person advised the company that they have discovered this and of said company pays them they will confirm what it is and advise how to fix it.

    Is this part in anyway against the Law? I wouldn't believe so.

    Next part is say company refuse to pay and this person does not advise them is this persona liable for anything that happens here on out for not advising the company of what the issue is.

    All hypothetical but in curious in this age of online security how it would pan out

    It can all depend on how something is worded, a bit like the difference between tax evasion and tax avoidance, for example one of the statements below is not a crime.
    • There is a hole in your security, give me One million Euro or I tell the world
    • There is a hole in your security, give me One million Euro and I will fix it for you.


  • Moderators, Society & Culture Moderators Posts: 9,769 Mod ✭✭✭✭Manach


    While this might not directly address the OPs question, it is based on IT security training and readings of IT law books.

    There are levels of entry allowed on IT systems, just as in their real world analogues. There are also different actors, such as customers to a site or people hired to provide security. So there would likely be no issues in highlighting problems in an area where the general public are allowed to be - eg a landing page but an area like the Database backend can be distinguished as viewing the code there would have entailed a measure of tresspass to reach that area.

    Finally, there are some companies that do have the practice of paying bounties for code errors/security leaks - they would seem to have the better model than those just ignoring such issues.


  • Registered Users, Registered Users 2 Posts: 3,739 ✭✭✭scamalert


    above poster has a fair point about how the vulnerability was found, if it was by some random analyzing/debugging at home -then yeah go for bounty approach, if it was inside company just report fix issue, or if its software developer code issue you'd better luck contacting them.

    that said dont think any company would be willing to pay out,unless its massive company and you found some 0 day exploit,and not some mis-config chances are slim anyone would pay you.If its software then you would have some credit at very least.

    And if smth were to happen because of it, all again depends were you working there,or provided someone with inside info if both are no, then not your problem.

    Since most people go with approach to report it,if theres any payout or credit its usually up to the party to decide .


Advertisement