Legality of writing exploits for educational purposes (USA, Canada)

Question

Is it legal for me to write a small exploit (possibly to a closed issue) and put it up on the internet for everyone to see (as a tutorial)? I have been researching the legality of exploiting vulnerabilities and I came across CFAA (Computer Fraud and Abuse Act.) Looks like there is nothing in CFAA that explicitly prevents something like this but I might be overlooking something.

FYI: I am currently located in Canada and I am interested in legal issues that relate to North America.

Please precise the country(ies) you're interested in in your question body when asking legal questions. — Steve Dodier-Lazaro, Apr 28 '15 at 13:37
I just edited my answer to include my region of interest. Thank you. — SivaDotRender, Apr 28 '15 at 13:49
I am planning to blog about an old well documented vulnerability. That is why I asked this question — SivaDotRender, Apr 28 '15 at 17:59
I asked a similar question: http://security.stackexchange.com/questions/22973/if-i-find-or-create-a-0day-exploit-can-i-be-held-liable-for-releasing-out-to-th — Digital fire, Apr 28 '15 at 18:16
I'm voting to close this question as off-topic because this is a legal question — Eric G, Apr 28 '15 at 18:27
@EricG According to the [Help Center](http://security.stackexchange.com/help/on-topic) legal matters can be on topic, they're just not legally binding. — RoraΖ, Apr 28 '15 at 19:04

score 17 · Accepted Answer · edited Jun 16 '20 at 09:49

I don't know about the CFAA specifically, but good general guidelines for educational, or exploratory penetration testing are:

Only attack servers that you control, or that you have express permission to attack. For example, some people leave up websites with known vulnerabilities so that others can "practice hacking" on them. These sites usually have a disclaimer expressly giving you permission to attack them. Without that disclaimer, you can get in big trouble for launching an attack on a domain that you don't control.
Only publish exploits for known (and patched) vulnerabilities. If you are playing with exploits that have already been published in academic journals / conferences, or are otherwise well known, then you're probably ok to post it on the internet, especially if a patch is available. However if you discover a new exploit, or are unsure if it's new, then it's better to go through official channels and notify the vendors before making anything public.

EDIT:

The OWASP WebGoat Project exists specifically to address issue (1.) :

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

You can download and install the WebGoat packages onto your own machine and then run all the attacks you want!

If you have strong concerns about issue (2.) and publishing, you could always get in touch with your local OWASP Chapter and ask them.

A frequent practice I see on each clean research or educational site is some kind of disclaimer telling something like "The information provided here is for educational purpose only. All unauthorized use etc.". I'm not a lawyer to tell whether such mention has any real juridic weight, but it may help to show your intent to be "on the white side" as an IT security student / researcher. — WhiteWinterWolf, Apr 28 '15 at 15:47

Legality of writing exploits for educational purposes (USA, Canada)

1 Answers1

EDIT: