Re M_wright's blog and legal mistakes when posting security flaw
I just read M_wright's blog where he expresses concerns regarding the numerous security flaws and vulnerabilites within this site. As a senior user, it troubles me greatly and I share his disappointment in management's apparent lack of response and inaction. However, his statement If the deadline passes. I will post the 112+ vulnerabilities and exploits I have personally discovered and written here on this website for educational purposes. These exploits will include scripts that can alter your erep point values, hijack other accounts, etc causes me great concern.
Clearly M_wright is frustrated, but the threatening manner of his approach may expose him to significant legal action. While some may dissagree, I do have some experience in these matters and I thought this would be an opportunity to provide some free legal advice that I hope everyone, including M_wright, will take very seriously.
Publication of truthful information is protected by the First Amendment. Both source code and object code are also protected speech. Therefore, truthful vulnerability information or proof of concept are constitutionally protected. However, this protection is not absolute. Rather, it means that legal restrictions on publishing vulnerability reports must be viewpoint-neutral and narrowly tailored.
Before you post. I strongly recommend you consider the following:
- the risks and benefits of describing the flaw with proof-of-concept code, and whether that code could describe the problem without unnecessarily empowering an attacker.
- whether your proof of concept code is written or distributed in a manner that suggests it is primarily for the purpose of gaining unauthorized access or unlawful data interception, or marketed for that purpose. Courts look both to the attributes of the tool itself as well as the circumstances surrounding the distribution of that tool to determine whether it would violate such a ban.
- whether to seek advance permission to publish, even if getting it is unlikely.
- how to publish your advisory in a forum and manner that advances the state of knowledge in the field.
- that you are not publishing in a manner that enables or encourages copyright infringement, privacy invasions, computer trespass or other offenses.
I think it is noble of M_wright to attempt to educate z vue staff, I just think he needs to be extremely careful of how he goes about it. I hope this was helpful information.