Monday, October 10, 2011

On Information Leakage/Disclosure and Responsibilty

I enjoy helping people. I enjoy helping them learn, and helping them not make mistakes. Sometimes, however, I find mistakes people have made and am told to walk away from them.

Whenever I find a security hole in a website, I don't always have permission to look at it and exploit it. I _never_ do damage to systems I find security holes in. I tell the appropriate people what I have found, how I found it, how to resolve it, and make sure they understand I had no ill intent.

I have found security holes (usually SQL injections) in very large website that deal with customer data, online shopping, etc. I have even found SQL injections in government websites. I am told by seasoned professionals in the security field that the best thing to do when finding these holes is to walk away and pretend like I never found them. Companies love suing people, and governments love imprisoning people.

I feel like this is completely irresponsible. It is absolutely contrary to what I was taught growing up. If I can help a company out by pinpointing their flaws before an attacker does, I should not fear being sued or imprisoned. I consider it a matter of Good Samaritanism. You don't imprison or sue those trying to help you.


  1. Actually, being a Good Samaritan does not mean not getting sued or jailed. Laws in many of United States individual states require those with training to stop at the scene of an accident, however, the law also makes them responsibility for the victim.

  2. The sad thing is, I get the impression that most companies will do nothing unless there is a public disclosure, at which point they sue you for hacking their website. Awesome.

  3. I once pointed out a security problem with the World Health Organisation website, and received some very hostile abuse when I tried to explain how it was being actively abused. They never thanked me.

    I would do it again though.

  4. I once pointed out an SQL injection vulnerability in Hillary's website to a friend who worked for the Democratic Party. He called up her sysadmin and told him the vulnerability existed, got a "yeah right" and threatened to drop all tables. Sysadmin told him to hold on, backed up the database, and moved one db server to a different port number and told him to run the attack against that. And then he was glad he'd backed up the db first. It got fixed.