The disclosure of vulnerabilities has always caused friction between the researchers who find flaws and the software firms who have to deal with fixing defects in their products.
Nowhere is this friction higher than when a researcher finds a flaw in a production website. Last week, for example, Australian security consultant Patrick Webster reportedly found a flaw in the website of pension fund First State Superannuation. Initially the company worked with Webster, but soon the security researcher received a visit from the police and threats from the company's lawyers, according to security site Risky.biz.
It's the latest case underscoring the hazards for anyone considering the investigation of possible flaws in websites. In 2005 network consultant Eric McCarty publicized flaws in the online application site for the University of Southern California. McCarty was prosecuted and pleaded guilty to a felony, resulting in six months of home detention. In 2008 a student at Carleton University in Ottawa, Canada, left school and faced hacking charges after he reported flaws in the school's administration system to officials.
Researchers who find flaws are not always the ideal Good Samaritans. For many security professionals, finding flaws is a method of marketing their skills. Others enjoy the challenge of finding flaws, and reporting them to the vendor is an afterthought. Yet reporting vulnerabilities helps security -- even if in the world of software applications many companies would seemingly rather not know.
Investigating issues in production Web servers is a different matter. Companies are rightly worried that a researcher with more bravado than brilliance could take down their service if an investigation into Web weaknesses goes awry. But attacking researchers with criminal complaints and legal threats only creates an environment that makes vulnerable websites the norm.
In interviews over the past five years, many researchers have indicated that if they suspect a website has a vulnerability, they will not investigate or inform the site's owner. Their advice: Just walk away.