Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How could a bug report be illegal?

If you merely say that you observed a crash in someone else’s software when a certain argument is passed, and that makes you liable for their bug, we are all in big trouble.



This isn't just a bug report; this is more like lockpicking instructions.


Pretty sure that lockpicking instructions are legal. You can find a lot of lockpicking channels on youtube.


I’m sorry, but this isn’t an RCE. It’s a low priority issue.


Which could also not possibly be illegal.


Well, there is a difference. First, that certain argument (malformed certificate) was not randomly encountered, it was specifically constructed to trigger the vulnerability (Was reverse-engineering involved? I don't know). Second, this bug report not only discloses the fact that the vulnerability exists, but also provides a working example for any script-kiddie to use as an exploit. Third, the bug was not privately disclosed to software vendor, but was released to the public. From https://security.stackexchange.com/questions/22973/if-i-find... it seems that would be criminal in UK or Germany, no idea what could've happen in US. On one hand, you have First Amendment, on other hand, there is an EULA.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: