Martin @ Blog

Today I read about this article on Slashdot. It is written by a teacher who helped a student reporting a vulnerability on a public (commercial?) website. Because shortly after their report the website was hacked and the police investigated the case, they were almost treated like criminals. I think this is ridiculous. It is almost the same that you will get arrested when you report a suspicious bag on a railway station or warn a house owner when you see that he left his front door open. Fortunately, here in the Netherlands there is no law which enables the police to arrest people for reporting a vulnerability as far as I know (and according to a teacher at our university). Hopefully the EU will not take the US law as an example for this kind of stuff, because the people over there who created this law are obviously not aware of the daily practice regarding the discovery of flaws in software. A typical example of the ignorance of some politician.
The teacher in the article concludes that you should destroy all the evidence that you are aware of an existing vulnerability and certainly not tell the developer/site owner about the bug. While it may be the best thing to do, it is really crazy that you should do this. How the hell do politician want the get a ‘safer and better world’ when it is not allowed to report defects? On the other side, it explains the growing number of spam, the increase in identity theft, the new problems with phising and so on… if they are not going to change this laws and rules, I think we are only seeing the beginning of these things.

This entry was posted on Tuesday, May 23rd, 2006 at 11:03 and is filed under Computers, Linux and OSS, Opinion, Software. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.