Tuesday, January 16, 2007

Disclosing Web Vulnerabilities

Today, I was reading this article by Scott Berinato from a link I followed off Slashdot, and I was reminded of some of my own experiences with disclosing web vulnerabilities.

Recently, as I've begun to be introduced to the topic of computer security, I've started to notice vulnerabilities more frequently in my daily online experience. Indeed, I find it quite exciting when I find actual examples of the security concepts or potential vulnerabilities I've read about. It makes the concepts that much more real for me.

That said, I can still relate to the feeling of uncertainty involved with discovering and reporting security vulnerabilities. In trying to be helpful in reporting the vulnerability in an application to the author, am I in danger of being suspected of hacking? Is it then worth the risk and hassle of legal entanglements?

The last paragraph of Berinato's article was particularly ominous:

A gray pall, a palpable chilling effect has settled over the security research community. Many, like Meunier, have decided that the discovery and disclosure game is not worth the risk. The net effect of this is fewer people with good intentions willing to cast a necessary critical eye on software vulnerabilities. That leaves the malicious ones, unconcerned by the legal or social implications of what they do, as the dominant demographic still looking for Web vulnerabilities.

That is truly a scary thought as the potential implications are a decline in the security of the Internet and a loss of faith in its realibility.

-- Arkajit

No comments: