The chilling effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.

A limited pool of bravery

What happens next depends, largely, on those who publish vulnerable software on the Web. Will those with vulnerable websites, instead of attacking the messenger, work with the research community to develop some kind of responsible disclosure process for Web vulnerabilities, as complex and uncertain a prospect as that is? Christey remains optimistic. "Just as with shrink-wrapped software five years ago, there are no security contacts and response teams for Web vulnerabilities. In some ways, it's the same thing over again. If the dynamic Web follows the same pattern, it will get worse before it gets better, but at least we're not at square one." Christey says his hope rests in part on an efficacious public that demands better software and a more secure Internet, something he says hasn't materialized yet.

Or will they start suing, threatening, harassing those who discover and disclose their Web vulnerabilities regardless of the researchers' intention, confidently cutting the current with the winds of McCarty's guilty plea filling their sails? Certainly this prospect concerns legal scholars and researchers, even ones who are pressing forward and discovering and disclosing Web vulnerabilities despite the current uncertainty and risk. Noble as his intentions may be, RSnake is not in the business of martyrdom. He says, "If the FBI came to my door [asking for information on people posting to the discussion board], I'd say 'Here's their IP address.' I do not protect them. They know that."

He sounds much as Meunier did when he conceded that he'd have turned over his student if it had come to that. In the fifth and final point he provides for students telling them that he wants no part of their vulnerability discovery and disclosure, he writes: "I've exhausted my limited pool of bravery. Despite the possible benefits to the university and society at large, I'm intimidated by the possible consequences to my career, bank account and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: 'There is no way to report a vulnerability safely.'"

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about ABC NetworksACTAltavistaCarnegie Mellon University AustraliaCBS CorporationCERT AustraliaCiscoCreativeFBIGatewayGoogleHISIBM AustraliaIETFInternet Engineering Task ForceISS GroupMcAfee AustraliaMellonMessengerMicrosoftMozillaNetcraftNikePayPalPetcoPromiseSecure ComputingSpeedUSCVIAWarner Bros

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott Berinato

Latest Videos

More videos

Blog Posts