Security suffers when firms sue researchers who report flaws

Researcher gets a visit from police and threats from lawyers after finding flaw in pension fund website. Time for a better way

The disclosure of vulnerabilities has always caused friction between the researchers who find flaws and the software firms who have to deal with fixing defects in their products.

Nowhere is this friction higher than when a researcher finds a flaw in a production website. Last week, for example, Australian security consultant Patrick Webster reportedly found a flaw in the website of pension fund First State Superannuation. Initially the company worked with Webster, but soon the security researcher received a visit from the police and threats from the company's lawyers, according to security site

It's the latest case underscoring the hazards for anyone considering the investigation of possible flaws in websites. In 2005 network consultant Eric McCarty publicized flaws in the online application site for the University of Southern California. McCarty was prosecuted and pleaded guilty to a felony, resulting in six months of home detention. In 2008 a student at Carleton University in Ottawa, Canada, left school and faced hacking charges after he reported flaws in the school's administration system to officials.

Researchers who find flaws are not always the ideal Good Samaritans. For many security professionals, finding flaws is a method of marketing their skills. Others enjoy the challenge of finding flaws, and reporting them to the vendor is an afterthought. Yet reporting vulnerabilities helps security -- even if in the world of software applications many companies would seemingly rather not know.

Investigating issues in production Web servers is a different matter. Companies are rightly worried that a researcher with more bravado than brilliance could take down their service if an investigation into Web weaknesses goes awry. But attacking researchers with criminal complaints and legal threats only creates an environment that makes vulnerable websites the norm.

In interviews over the past five years, many researchers have indicated that if they suspect a website has a vulnerability, they will not investigate or inform the site's owner. Their advice: Just walk away.

Following his own similar case, Pascal Meunier, a professor at Purdue University, advised researchers to never report Web vulnerabilities. Instead, avoid the website and delete any evidence that points to a vulnerability. "You are not responsible for that website, it’s not your problem," Meunier wrote. "You have no reason to keep any such evidence. Go on with your life."

So far, only Google has given researchers a stated policy that investigating potential flaws is OK. Even though the search giant does place caveats on the immunity it will give researchers, other companies should follow Google's lead.

This story, "Security suffers when firms sue researchers who report flaws," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.