16

If I found or created a 0day and decided to immediately release it into the wild (Giving a P.o.c w/ source). But not using it to actually exploit anything. Can I be held liable for it?

Digital fire
  • 3,126
  • 5
  • 31
  • 44

3 Answers3

18

First, I'm not a lawyer. Second, this completely depends on your local laws. I can only speak for my limited experience with UK and US law.

In most countries, you're covered by free speech laws, assuming the information you're releasing isn't protected by some form of non-disclosure agreement, and isn't classified as a military secret. If you found the 0day as part of a test you performed whilst hired by the company, you're likely to be restricted by contractual obligations (e.g. an NDA). Any form of information that is classified by a government as secret will be covered by a statute (e.g. the Official Secrets Act in the UK, or the Espionage Act of 1917 in the USA), which makes distribution of that information illegal. For private cases where you have no affiliation with the company that produces the software, you're usually not liable. You're releasing investigative information about one of their products, which you should be entitled to do as part of standard free speech legislation.

However, this isn't to say that you'd be 100% off the hook in private cases. Depending on the situation, a company might decide to proceed with a civil suit to claim for damages. I'm not aware of any such successful cases, but it's something to consider.

In the end, it's always best to follow Wheaton's Law: "Don't be a dick!" - practice responsible disclosure and maintain a good relationship with the vendors that you contact. It could end up being very lucrative from the point of view of both rewards and employment prospects.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • re private cases with no affiliation - it is possible you will be restricted by a ToS / EULA, which can be legally enforced in some situations. – AviD Oct 22 '12 at 15:57
  • 1
    @AviD Possibly, depending on how the ToS complies with local law. EULA is a case where you've accepted a contractual agreement, so you can be held liable for in a civil sense at least. Interesting cases start to occur when a minor is involved though - anyone under 16 in the UK cannot enter into a legally binding contract, and many are found to be completely unenforceable under penalty of perjury unless all parties are 18 or over. – Polynomial Oct 22 '12 at 16:00
  • True, this is very locale-dependant, and legalese dependant. In which case, it would revert to IANAL and CYLA (consult your local advocate). – AviD Oct 22 '12 at 16:30
  • Depending on the state law. In MD and VA (USA), DMCA makes it illegal to test security features. Revealing a 0day would seem to be an implicit admission of guilt. I have trouble believing that they'd prosecute, but then I had trouble believing that they'd pass the law. And if you reveal it in particularly stupid manner, it may be in the victim's best interest to use the law as leverage. I (am glad to say) that I am not a lawyer. – MCW Oct 22 '12 at 18:17
  • 9
    (as my friend who just got his J.D. says, the universal answer to all legal questions is "It depends" followed by a estimate for billable hours) – MCW Oct 22 '12 at 18:18
2

It depends on where you are, but overall no. In Germany you could theoretically be accused of a crime, not just sued, although it's extremely unlikely it would happen. In most of the world nothing would happen to you besides being flamed, castigated, and vilified. After all, this has happened before, numerous times, and although you'd probably get a load of grief there's no precedent for a lawsuit based on releasing information about a vulnerability.

Think of it this way, what could they sue you for? You didn't write the software, a developer did, and developers doesn't get sued for security bugs (If they did, things would change in a hurry wouldn't they?), so how can you be sued for finding one? It would set a terrible precedent as nobody would look for bugs if they got sued for finding them, so the only ones who would be finding bugs would be the criminals, and they wouldn't be bringing them out into the open.

Ethically though you really should notify the developer of the software and giving them a chance to patch it before releasing it. It's good Karma.

GdD
  • 17,291
  • 2
  • 41
  • 63
2

Again I'm not a lawyer or anything, but I know that in the UK and under the Computer Misuse Act 1990 Section 3a:

3a: Making, supplying or obtaining articles for use in offence under section 1 or 3

  1. A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
  2. A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
  3. A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
  4. In this section “article” includes any program or data held in electronic form.
  5. A person guilty of an offence under this section shall be liable— (a)on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both; (b)on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; (c)on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

Therefore in the UK you would be supplying an exploit and therefore breaking the Law as this may have an effect on Sections 1-3.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
LukeJenx
  • 101
  • 3
  • The particular bar in the questioner's case being "believing that it is likely to be used to commit", which means "ah, well, I didn't *intend* for it to be used to crack anyone's system" isn't sufficient. You'd have to say, "ah, well, I didn't believe it would be used", and that just might not be credible. That said, I don't *think* courts will construe a prose description of a vulnerability as "an article used to commit an offence" when someone uses it to crack a system. I may be wrong. Working exploit code, I think they would, even if the attacker had to add their payload to make it usable. – Steve Jessop Apr 28 '15 at 22:01