lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Feb 2012 11:21:28 +0100 From: Info <info@...hell.net> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: posting xss notifications in sites vs software packages Well....in Germany...our law regarding security in general is very, very vague. It basically says that you have to go to prison if you produce or publish any information and/or tools (for so-called "hacking-purposes") in preparation for a criminal offense. And: if you get unauthorized access to data which is specially secured by evading the security mechanisms. But The European Expert Group for IT Security says that especially the first part does not apply if you're dealing with information and tools in a good-natured way using e.g. a detailed reporting or documentation. So i think it's hard to say if looking for a custom website vulnerability (and finally not using it for bad purposes) is illegal...at least it depends on how the judge defines "criminal offense" and interprets your behavior. @Valdis: Therefor: agree :) Regards Julien. On 02/09/2012 03:23 AM, Valdis.Kletnieks@...edu wrote: > On Wed, 08 Feb 2012 17:30:18 +0100, Info said: >> A general question: is it legal to search for XSS vulnerabilities on >> custom websites ? > Yes. No. Maybe. Depends where you live, where the web server is physically > located, and where the corporate headquarters are. In the US, the law you > need to worry about most is 18 USC 1030: > > http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html > > "... having knowingly accessed a computer without authorization or exceeding > authorized access, and by means of such conduct having obtained information..." > > It's going to come down to whether the jury believes the prosecutor's version > or your version of what "exceeding authorized access" means - which is why > professional pen testers make sure they get a "Get Out Of Jail Free" card, and > negotiate rules of engagement (what's allowed, what's not) as part of the > contract. You amature pen testers are on your own. ;) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists