Disclosing Website Vulnerabilities with the Threat of Criminal Prosecution

Another website vulnerability with the threat of criminal prosecution has been in the news. It appears that Goatse Security disclosed that AT&T’s website made the email addresses of iPad owners public by displaying the email address associated with a user if anyone correctly guessed and entered a valid username.

The Wall Street Journal reported that AT&T issued a statement saying “…it would cooperate with any efforts to investigate or prosecute the breach [of its website].” Why would someone be prosecuted for disclosing a threat of identity theft, so a vulnerability could be fixed? A look at several of the incidents alleged to have “gone over the line” show similar or shared characteristics.

With the AT&T iPad episode, the Wall Street Journal reported another expert as saying that Goatse Security “…created a program that exploited the hole, harvesting 114,000 emails of iPad owners.” If this is true, Goatse Security may have built a burglar’s tool which could be prosecuted and evidenced by the sheer number of emails taken.

This might have been overlooked and maybe even responded with a “thank you” by AT&T if Goatse Security had only obtained a half a dozen email addresses; took a screen capture; reported it directly to AT&T; and did not disclose it publicly. According to Ryan Naraine at ZDNet, Google and Mozilla will even pay you for finding vulnerabilities, however, Microsoft will just thank you and give you credit which is also valuable.

One of the problems with disclosing vulnerabilities is that often the vulnerability is not accidentally discovered by normal use of the website as intended by the website owner.  Instead, vulnerabilities are often discovered by people searching for them by the same means as an illegal hacker.

Some characteristics which could be evaluated either by a company wondering if they have been victimized or if they have been given useful information by a good doer, or by a prosecutor in determining whether to prosecute are:

• Was any software created to identify the vulnerability?
• Were any private areas of the website penetrated in order to identify the vulnerability?
• How much data was taken?
• How much data was needed to identify and report the vulnerability?
• Was the data disclosed to anyone other than the website owner?
• Was the vulnerability reported to anyone other than the website owner?
• If the vulnerability was publicly disclosed, was it publicly disclosed only after the website owner had sufficient time to research the vulnerability, an appropriate fix, and incorporate or distribute the fix?
• Was the vulnerability reported to the website owner without asking for anything in return?

Related posts:

1. Should a Judge’s Sexually Explicit Website Be Cause for Recusal?