Are Bug Reports Against the Law?

This editorial by Mark Rasch was quite an eye-opener in terms of where this country may be headed. Rasch focuses on the case of Bret McDanel, a former Sys-admin for Tornado Development, who sent emails to Tornado's customers about a security flaw in Tornado's web mail that the company had not fixed for several months, though Mcdanel had notified them about it. Whether he was right to email their customers or not, the key here is that the government persecuted him under 18 U.S.C. 1030, which makes it a crime to knowingly send information which causes damage to a computer system. The article states that "under the theory articulated by the government, the transmission of any information that can be used by others to impair the integrity of a computer system (or cause loss of reputation) if done without authorization (and who would authorize it?) is a federal crime."

If taken literally, this could mean that any public discussion of a bug or vulnerability in a system or software product could be considered a felony. After all, revealing such a flaw would certainly cause embarrassment and loss of reputation to the company in question. That interpretation of this law is a clear danger to our freedom of speech, and to our right as consumers to be notified of security issues in the software that we buy.

The Sad Tale of a Security Whistleblower (Security Focus, August 18, 2003)

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie