3

Do I have to contact the producer of a software before publicly posting (Twitter, Blog, ...) about security issues of it? Does it matter how this knowledge was acquired (reverse engineering, sniffing network traffic, trial & error, ...)? I'm living in Europe (if it matters).

What about posting exploits? Is there any law prohibiting an exploit with source code, so a security issue could be reproduced by anyone?

I'm talking about general-purpose software like Smartphone apps or desktop applications.

muffel
  • 165
  • 1
  • 4
  • 4
    This question appears to be off-topic because it is about law. – Guntram Blohm Nov 30 '14 at 13:28
  • 1
    @GuntramBlohm: Well, we had a discussion about that at the beginning of this site. And, finally, it seems to be okay to speak about the legal aspects of reverse-engineering here (if the question is focused enough). People have a lot of questions about the legal aspects of Reverse and a lot of beliefs about it (most of them are wrong, indeed). Trying to explain better all these mechanisms (as you did) should help. And, no, lawyers are not really better than technicians to answer this question (believe me!), most of them won't understand the question if it is stated with technical terms. – perror Nov 30 '14 at 14:36
  • 2
    You might be interested in this Law Stack Exchange proposal which is now in commitment phase. – Franck Dernoncourt Nov 30 '14 at 18:29

2 Answers2

6

Short answer: don't ask us, ask a lawyer.

Long answer: Noone, not even a lawyer, will be able to give you any sound advice without knowing the specifics of your situation, which include the country you live in. There's no European law that supersedes the law of each state, like Federal Law in the U.S. does, each country is responsible for turning EU directives into country law itself. Details may vary greatly between EU states.

Even if you provided very specific details, we probably couldn't help you, because we're technicians, not lawyers. We can probably help you with producing an exploit; we can't tell you if and where it's legal to publish it.

And even if some of us were lawyers: Imagine we tell you it's ok. You publish your exploit. You get arrested and sued because we were wrong. "I asked some forum guys who seemed highly knowledgable about this" won't help your case at all. If you get a written statement from a lawyer telling you what you're going to do is ok, and he's wrong, your chances are good you'll be able to make him (well, his insurance company) pay for your damages. You won't get anything from us.

Guntram Blohm
  • 12,950
  • 2
  • 22
  • 32
  • Also, even if we were lawyers, depending on the specific jurisdiction, we might abstain from answering your question, because it might be construed as giving legal advice and thus making us liable for damages … and I'm not sure how our insurance companies might like such stupidity. – Jörg W Mittag Nov 30 '14 at 15:57
  • I've not been able to find a solicitor/lawyer in the UK who is really willing to analyse, on a case-by-case basis, whether releasing security research is legal.

    The problem is that the vast bulk of their work is with security companies contracted to work for other companies, not the lone researcher working without authorisation.

     – Cybergibbons Dec 01 '14 at 09:24
0

The best and ethical thing to do in this situation would be to contact the producer of the software/system and provide them with examples that verify the security problem. If you want to verify information was received, make contact via phone with recipient and send it via a secure verifiable method ( including overnight express etc....) . If it is indeed an exploit this will allow vendor time to hopefully patch their system and get ahead of any attacks that would benefit from the release of said information. If vendor is ethical and appreciative , they in turn should give you credit for the reporting the security error once they have mitigated the problem (assuming you want to be named).

Lou
  • 24
  • 1