33

I'm from Canada, and I'd like to know one thing. I know a bug on one website. I'm not sure if it's legal here to search for bugs on a website and NOT use them; instead, tell its company about it.

iamart
  • 457
  • 4
  • 6
  • Bug or exploit? I've never heard of somebody getting in trouble for pointing out a UI flaw. I don't think I'd ever report an exploit in a way that would identify me or my user on their site given some of the absolutely despicable ways people have responded to that. – Erik Reppen Jun 11 '13 at 22:22
  • 5
    @ErikReppen : http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html - like what happened to this guy? – stickman Jun 11 '13 at 23:12
  • 4
    Are you really asking for legal advise off the internet........ – mattnz Jun 12 '13 at 00:56
  • 1
    Localized question. Vote to close. This is of use only to people from one locality in Canada, and even there, although I'm not an expert on Canadian law, I suspect that even the guy who represents himself in court has a better lawyer than the guy who takes legal advice from the internet. – MCW Jun 12 '13 at 11:11
  • In many/most cases the normal steps you'd take to 'see' if a bug or vulnerability exists can be construed as an attack (at least by some legal systems). – Rob P. Jun 12 '13 at 11:46
  • 2
    @MarkC.Wallace Based on that reasoning, a large fraction of the currently open questions tagged "legal" seem candidates for closing. We could start with all the ones that deal with matters specific to the USA. Possible examples: http://security.stackexchange.com/q/29173/2138 http://security.stackexchange.com/q/26188/2138 http://security.stackexchange.com/q/22973/2138 http://security.stackexchange.com/q/22931/2138 – user Jun 12 '13 at 16:29
  • Agree- I believe we should close all questions that request legal advice. I do not believe these are appropriate to SE. At best the advice is worthless; at worst it is conspiracy to violate the DMCA (Anyone who points out that DMCA is US only is really only supporting my point about localization). – MCW Jun 12 '13 at 16:54
  • @ErikReppen It's XSS vulnerability. – iamart Jun 13 '13 at 01:19
  • @stickman I was actually thinking of that kid in Canada who got kicked out of the school he was attending for discovering an exploit and trying to prove it basically. – Erik Reppen Jun 13 '13 at 01:26
  • 4
    @ArtDesire That's an exploit. If you have no easy way of contacting them anonymously, I wouldn't. Sucks but people are crazy !#$holes. Especially no-talent hacks more likely to be responsible for leaving large gaping holes in the systems they're responsible for. – Erik Reppen Jun 13 '13 at 01:29

8 Answers8

35

It is legal to tell them about the bug, giving them a detailed description of the bug and how you came across it.

What is unpredictable is the company's reaction. It could vary to something such as them sending you a reward/small gift (has happened to me), to them trying to prosecute you as a criminal (tipping them off anonymously could help with this issue). If the bug compromises the website and it's information, make it clear that you have not used the bug in this way.

If you have the knowledge, try to make suggestions on how to fix the bug, to make it even clearer to the company that you are trying to help them out (something I did as well).

Important note: If the company refuses to recognise the vulnerability, do not seek way to exploit it and get it attention. This will most likely result in legal action against you.

syb0rg
  • 550
  • 4
  • 12
  • 4
    Be careful! It may be legal in *your jurisdiction* but that doesn't mean that every government allows this behavior. Also, are you a lawyer? If not, why are you giving what could be construed as legal advice? – atk Jun 12 '13 at 01:39
  • 14
    does it bother anyone else that legal advice is somehow on a higher level then moral and ethical advice? lawyers are just people too, with a specialty no doubt. I don't expect people to say they are not an author/editor/publisher when critiquing a book. I don't care what your title is, I care what your experience and track record is. – antony.trupe Jun 12 '13 at 02:20
  • 5
    @antony.trupe: It's not that it's "on a higher level" but that it can be illegal to provide legal advice without a license in certain jurisdictions. Laws are also written to be terribly difficult to understand, and so a non-lawyer who is not citing specific laws and/or precedent may not be representing legal reality. – atk Jun 12 '13 at 02:45
  • 8
    I completely agree @antony, I'm not a psychologist and yet I gave relationship advice to a friend the other day. So what? Why is anything even remotely touching a legal topic such a taboo on the internet? – Andreas Bonini Jun 12 '13 at 02:46
  • 21
    @atk are you providing advice that it might be illegal to provide legal advice? is that legal advice? ;) – antony.trupe Jun 12 '13 at 03:09
  • Can I have problems if somebody execute or executed the exploit? – NARKOZ Jun 12 '13 at 10:16
  • 1
    I am not a lawyer.. but as I understand, if you give legal advice with the reasonable expectation that you are a lawyer, then you can be sued by whomever you give the advice to if it is incorrect. Not a "higher level" but moral and ethical advice is much less likely to be litigated over. – CLo Jun 12 '13 at 12:08
  • 1
    @antony, the question is not whether it's moral/ethical/a good idea to do this. The question is whether it's legal, and lawyers are indeed the ones qualified to answer it. I.e., never mind whether it's _legal_ for a non-lawyer to give legal advice: the question is about law, not ethics. –  Jun 12 '13 at 12:18
29

In Canada it appears as though that you're safe ... for now. Anywhere else, it depends on whether by "search bugs" you mean to find exploits on someone's site that might violate their Terms and Conditions of usage for the website (Eg. Penetration Testing).

There are a couple of different ways this could go, depending on the reaction of the person who receives the e-mail, how the message is worded, and declared steps to reproducing the problem.

Typical Legal Polite Example:

Dear Sirs,

Through normal browsing I found an exploit on your website that may compromise your server. I work in the IT industry and noticed that this page http://www.somesite.com/somepage is causing <list exploit here> which could compromise the integrity of the site. I enjoy using your site and thought I would bring this to your attention.

Best Regards,

-ArtDesire

The following might not be interpreted as legal:

Sometimes presentation is everything and while people may have the best of intentions, testing exploits or reconfirming an exploit might be taken the wrong way. This is typically not a good legal example because it's letting the server's admins know their Terms of Service have at the least been violated by the person submitting the notice:

Yo Dudes,

I was totally trying out this new script I found online and saw that somebody could totally pwn your server be following this link <link here>. You might want to check it out. I only tested it a couple of times.

Good Luck,

-ArtDesire

Actively testing exploits on someone else's site is definitely illegal in some municipalities. Servers maintain access logs, so if anything questionable has happened, and then the admins were notified, it might throw up a flag for them when they go back through the logs. Then they can use any information in the e-mail (including headers) and anything they have access to directly in order to try and trace what happened. Tracking cookies on the client machine may be used as evidence in an investigation.

Once an investigation is initiated, actions are dependent on the laws in regard to the location of the server (physical control), the laws of the country in which the server resides, the maintainer of the server (who is responsible for the server's content in some countries), and extradition policies based on whether guilty until proven otherwise or vice versa.

If a bug is found (eg. Code spilling out on the page.), it's not normally illegal to let someone know.

Most of the sites where I've tried to inform someone about an exploit usually end up with a canned response, something like:

"We use the best programmers in the world and you don't know what you're talking about. If there was an issue we're sure the programmers know about it and are working on it."

or they'll say:

"The issue you've found is likely an issue with your computer. We can't guarantee that everyone will have the same browsing experience."

Remember that "No good deed goes unpunished." Hacking laws are becoming more strict and the interpretation of those laws often fall into the hands of the uninformed. To be on the safe side, I always remember to document everything.

AbsoluteƵERØ
  • 3,104
  • 17
  • 20
  • 2
    See http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html for an example inept response: "Let me assure you that all customer passwords are stored securely & in line with industry standards across online retailers." Also http://www.bbc.co.uk/news/technology-19316825 – armb Jun 12 '13 at 11:44
  • BTW, I've seen instances where companies answered "we don't know what you're talking about, we're super-secure" and then quietly fixed the problem. So you may hope the good deed is still done, just you're not getting any credit for it :) – StasM Jun 13 '13 at 04:39
  • @StasM You should probably report it anonymously either way so you wouldn't get credit anyway (well, maybe they will add a "fixed by anon" somewhere in their changelog, but hey) :p – Thomas Jun 14 '13 at 02:42
11

Many websites have a disclaimer that forbids you to conduct any security tests on their website.

Therefore, if you really want to do it, I suggest that you report the bug anonymously and like others said, make sure to mention you've only done this to help them.

Simon
  • 3,182
  • 4
  • 26
  • 38
11

I like a few of the answers here, but thought to mention another possibility - disclosure through a legal representative. I'm not saying this might be worth your trouble, but can work in a situation where you don't want to disclose any information that could lead to identifying you (inspection through server logs for matching activity as @AbsoluteƵERØ mentions in his answer, or revealing your identity later on while trying to notify web server's respective owner).

In a sense, your legal representative would be testing the grounds, and can possibly even agree on non-prosecution disclosure terms. You can then later decide either to proceed with detailed disclosure that might help the owner to mitigate any potential vulnerabilities found, or simply walk away, if you don't have reasons to trust the owner, fear prosecution, or your legal representative advises you so. This is usually referred to as an informed tactical decision in legal lingua (I'm obviously not a lawyer, mind you).

Legal representative is obliged to protect your interests, and can not be forced to disclose any incriminating information and reveal your identity, unless a clear threat to lives, or similar level of danger is presumed (depending on local laws). These laws are relatively similar in most democracies, tho I wouldn't know specifically for Canada. It shouldn't cost anything to ask a lawyer directly though, legal advice is usually (and should be) free, while the cost of handling the agreed upon disclosure protocol can be covered by disclosure's benefiting party (the owner).

Anyway, just thought it's worth mentioning this option. If you deem it too involved and time-consuming, then I suggest you follow suggestions by those answerers that understand you might get yourself in trouble and suggest what to pay attention to and how to go around this issue. Seeing this question sufficiently covered before my answer, I didn't want to repeat the points already made.

Edit to add: One thing is not particularly clear though, that might limit our ability to give a more meaningful and relevant answer. What exactly do you mean by "find bugs"? Did you stumble upon them by chance, by normal use of their website, you just so happen to know some bug is exploitable and whatever you did to learn about them is repeatable by any other ToS respecting user, or have you actively been searching/scanning for bugs and vulnerabilities? This is IMO the most decisive factor whether you could disclose findings without fear of prosecution, or you should take precautions (as already covered in other answers).

TildalWave
  • 10,801
  • 11
  • 45
  • 84
  • 3
    +1 for seeking actual legal advice and the suggestion to possibly use a legal representative. – user Jun 11 '13 at 21:18
4

It probably depends on how you found it. If it is something that you found casually using the site, it's probably pretty unlikely that anything could be done to you if you report it to the company. If you were digging for bugs and actively trying to find problems, then it could be a very different story.

It can vary based on local laws, but in general, the heart of the issue is based around if you were using the system in the way they intended it to be used when the bug was found. If you were using the site correctly and stumbled across it, then you should be ok.

If you were seeing what whacky input you could put in and found a way to get an invalid response, then you might be in trouble unless they have an established bug hunting program where they have asked people to try to find problems in their system.

If it isn't clear if they have a bug hunting program like this, a possible way to approach it is contact them asking if they mind if you did some testing of the site and provide them with your findings. If they ask you not to, then don't tell them about the bug. If they say fine, wait a couple days and then let them know what you found.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • I was with you until the last paragraph. If their administrators are any good, they have access logs, so they'll know that you already ran your program. – Brendan Long Jun 12 '13 at 04:55
  • @BrendanLong - good point, though if they already had a log of you testing and they bother to check it, then they could go after you either way. Since you initially are only asking if they mind, they wouldn't know what to look for to see if you already had. And if they don't mind you looking, they aren't likely to care particularly that you had been looking before you asked. – AJ Henderson Jun 12 '13 at 13:18
3

It depends on what you mean by bug. If what you mean is one that could be exploited to cause harm or access to a server, then in the US it would probably be found illegal under the Computer Fraud and Abuse Act. Several white-hat hackers have been arrested in the US even though they did not cause any damage See this article and notice Adrian Lamo.

It sounds like it could be illegal under Canada's criminal code in section 342.1.

It has been mention by syb0rg that some companies are okay with you find bugs and others are not.

I would advise that you contact the company first and ask their permission. That way you avoid any legal problems that you may not have been seen.

Travis Pessetto
  • 670
  • 3
  • 6
2

Notifying them is typically not illegal, but searching for bugs typically is. Many people have gotten jail time for what you are suggesting.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 2
    +1 for the advice to cover your ass (don't search for security holes unless you have permission from the owner to audit). Laws are vague and the threat of legal action will complicate your life. But have "many people gotten jail time"? The wikipedia [list of computer criminals](http://en.wikipedia.org/wiki/List_of_computer_criminals) is small (though likely incomplete), and none seem to fit the pattern of "I found a security hole and didn't use it". Most cases the sentence for virus creators/bot net owners/website defacers are relatively light (e.g., community service). – dr jimbob Jun 11 '13 at 21:33
-1

Actually, it would fully depend upon the terms of your use of the site. If the site says you cannot do any type of security testing, and you do, you may find yourself in violation of the CFAA (18 U.S.C. § 1030 (a)(2)(c) in particular) (assuming you or the site is in the US) which can bring felony charges and jail time. That being said, almost every internet user is in violation of the CFAA yet very few people get punished under it, so it is really up to how the company in question will react and how much political power they can swing. Also, there is a difference between finding a bug via normal use and actually looking for bugs, so it may also depend upon the websites terms.

But, for us to be fully concerned of the legality, we would need to bring lawyers in. For example, is there some kind of good Samaritan protection? Perhaps in your jurisdiction but not where the website is being hosted at. In such a case, which law applies?

In conclusion the laws are too complex for a simple conclusion, and while I and others I know would be thankful for the help in fixing any problems, I cannot speak for the owner of the website(s) in question.

Lawtonfogle
  • 981
  • 7
  • 11
  • 7
    *Assuming you are in the US* - the OP clearly states they are from Canada. – syb0rg Jun 11 '13 at 20:38
  • @syb0rg I edited it to say 'you or the site'. OP being in Canada would not invalidate the law if the site was hosted in the US, though it would making things more complex. – Lawtonfogle Jun 12 '13 at 13:07
  • @syb0rg I'm no lawyer, but depending on exactly what was done the US could request extradition. It is unlikely in most cases as I doubt they would be big enough to deal with, but it is a possibility. See this article may offer some insight on cyber crimes: http://www.fbi.gov/atlanta/press-releases/2013/algerian-national-extradited-from-thailand-to-face-federal-cyber-crime-charges-in-atlanta-for-spyeye-virus – Travis Pessetto Jun 12 '13 at 14:46
  • @Lawtonfogle Just FYI, I wasn't a down-voter. – syb0rg Jun 13 '13 at 03:52