Geek Answers Handbook

Can I get into a problem to identify vulnerabilities on the elses website?

Is it possible to have a legal problem to identify vulnerabilities in a web application, even if you do not use them?

I sometimes looked at tools like NetSparker to find out if the site has any vulnerabilities, and I would like to contact the site owner to find out if they would be interested in me fixing it. I suspect some of these people may get angry or misinterpret my intentions, and I'm curious if I can get any problems just by finding these security problems.

+6
security
source share
3 answers

If you are looking for vulnerabilities in open source software or commercially available software, and you are a US citizen, you are protected by the 1st amendment. It is legal for you to write an exploit code and do whatever you want (as long as it is not sold to terrorists / crowds). If you find a flaw, report it to BugTraq and put it on your resume. Over the years, I have collected CVE numbers many times, and I have actively written the exploit code .

In Germany and France, laws are slightly different; possession of “hacking tools,” such as an exploit code or even NMAP, can land in jail. You may also be interested in full disclosure laws .

On the other hand, if you go around checking websites that look for vulnerabilities, you are breaking the law , and the FBI is investigating you. Do not use vulnerabilities on random sites without the permission of the owners.

+8
source share

You should not get into trouble, but depending on how big a member and who is embarrassed and who feels threatened, you can easily turn into the next Adrian Lamo .

+1
source share

What can get in trouble often comes down to the fact that “they” can convince the judge. Of course, it is possible that the company can see such an act as a real attack (the wrong person in the company makes mistakes and screams loudly about it) and is looking for some damage from you. Just remember that “being right” or “being reasonable” or “making sense” does not really matter much in the US legal system (assuming the United States here).

Nevertheless, as a developer, I absolutely recommend testing the vulnerability and reporting to the developer for the product under test. But, unfortunately, you must carefully protest.

0
source share

More articles:


All Articles