General discussion


Security researcher faces jail time for publishing software vulnerabilities

By Bill Detwiler Editor ·
Guillaume Tena, a French security researcher currently with Harvard University, could face jail time for publishing vulnerability research on TEGAM International's Viguard antivirus software. French prosecutors claim that Tena violated French copyright laws by publishing his research, which, according to a French judge included some re-engineered Viguard source code. Prosecutors are seeking a 4-month jail term and a 6,000 euro fine (approximately 7,890 US dollars).

Read the whole story:

How should we balance the developer's copyright and trade secret privileges with the public's need for secure software?

How do you believe software vulnerabilities should be disclosed?

Should researchers and IT professionals submit vulnerability research first to developers and allow for a fix before going public?

How long should developers be given to release a fix before vulnerability research is made public?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

depends on..

by Jaqui In reply to Security researcher faces ...

how you are publishing the information.

publishing that the exploit exists, right away.
publishing exactly where it exists, not until after it's patched.

publishing code for the exploit, ( the actual malicious code ) never.

Collapse -

What do you gain

by daappley In reply to depends on..

What does a person gain by publishing an issue that they find, when there is no fix for it? This is especially pertinent when you are dealing with closed source software. If you are not able to help create a fix, then I feel, that it is extremely in-prudent to publish the issue as you are now CREATING the problem by giving malicious users the information they need to exploit those systems. I believe a software vendor needs to be given sufficient time to create a fix before any flaws are published to the general public. It seems to me that they want to get the word out first, simply so they get credit for the find, not for any benevolent reason.

Collapse -

user awareness....

by Jaqui In reply to What do you gain

and if the vulnerability is in an open source app, you get a huge number of programmers working on fixing it...FREE

you can't even try to protect against it if you don't know it's there. so let people know so they can try to find workarounds until it is patched.

Collapse -

Cannot agree with FORD analogy

by Aaron A Baker In reply to Security researcher faces ...

I'm Sorry; I cannot agree witht the "Ford analogy" for disclosure of the virus of which we speak. Having comunicated with Secunia, the Firm who "Supposedly" reported the fault without notifying Microsoft. I was told that it was in fact another "Firm" which works for Secunia" called "Hex Dump" that went public prematurely even before alerting Secunia or Microsoft about the problem. This in my opinion was the wrong thing to do. If I had a Ford and the Brakes were dangerous, the very FIRST people I would call would be FORD. If no action was immediately taken I would then consider the alternatives. This firm,however well intended,"If this is what it was and not Grandstanding" was definitely wrong to act as they did. They worked for Secunia, they should have either informed Secunia as is thier first duty whereupon secunia would have immediately reported the problem to Microsoft or in the event that Secunia didn't act, report to Microsoft directly, not go public. This is the proper way of doing things, not going behind someone's back and blurting it all out without giving the firm in question notice or time to take action. An action that I'm sure would have been immediate. No matter how we look at his, this type of Knee-Jerk reporting, causes nothing but panic and worry and embarassement and should definitely be considered inapropriate and inexcusable. There is also the element of trust. Secunia trusted this firm and this "firm" should have done the right thing, report to Secunia first and Microsoft, both being highly reputable, they would have taken immediate action and rest assured that they too would have published the problem without the cost of embarassement to Microsoft. The bottom line is as that, We being Techs know very well, there is a right way and a wrong way,in my opinion,this was definitely the wrong way.
Thank you.
Aaron A Baker

Collapse -

Apologies to You

by Aaron A Baker In reply to Cannot agree with FORD an ...

My Apologies to you all, I was refering to another situation of the same thing. However, I feel the same for this as I did for the other.
Aaron A Baker

Collapse -

MS...Immediate Action??

by Mr L In reply to Cannot agree with FORD an ...

Sorry Aaron, that dog won't hunt. Yes, vulns should be disclosed to the vendor, who should be given a reasonable, but not open-ended, window to remediate...then the vulnerability should be disclosed. There have been documented (many many) insatnces of Microsoft sitting on vulns for 6 months+ without a fix, so please don't think that they respond "immediately".

Without the "threat" of public disclosure, do you really think that vulnerability remediations would be nearly as quick as they are today?

Collapse -

Sorry to disagree

by Aaron A Baker In reply to MS...Immediate Action??

This firm's first duty was to report to "Secunia" and only "IF" Secunia din't take action they should have notified Microsoft and yes I am well aware of the Microsoft clock.That doesn't change the fact that this firm was working for Secunia and thier first duty is to thier employer yes? Therefore by going "Around" thier employer's back tho make themselves look good they have commited a "breach of trust" and should be treated accordingly.For all of our Knowledge, savvy,savoir faire and any else we can think of,the first thing we "Must Be is Up Front and Honest",as Techs, we all know that.Our Honesty 'Is" our reputation. This in my opinion was not the case here and therein lies my objection. They should have done the right thing.

Collapse -

Law, Courtesy and Common Sense

by awfernald In reply to Security researcher faces ...

I have no idea what French law says on this issue, so, depending on that would be whether what the guy did was right or wrong.

However, courtesy says.... the researcher should have notified the software maker first to give them a chance to start working on the defect, then, if that didn't happen, publish the work.

Common Sense says.... alert the software maker and publish the work without having a "how to exploit this defect" attached, simply telling that there is a flaw of x type, and that the company is coming out with a fix at this time.

Collapse -

Despite my disapointment

by daappley In reply to Law, Courtesy and Common ...

I don't think this fella deserves jail time. I mean when did bad judgment become a crime? If he can be put in jail for making a bad decision then I think we could all be deserving of jail time. I'd like to see him say "sorry, I will NEVER do that again" and that would be that in my eyes.

Collapse -

Depends on how bad the judgement was...

by Jessie In reply to Despite my disapointment

Robbing a liquor store... drinking and driving... child abuse... these are all examples of bad judgement for which I will personally not accept an "I'm sorry, I'll never do it again."

Now, not knowing what exactly was published, what French law dictates and what have you, it would depend entirely on the depth of the moronity. If you loan a buddy a gun knowing that he might use it to murder someone, you are an accessory to murder. If you publish info about a software vulerability knowing there are PLENTY of hackers out there who will exploit that info, makes you an accessory to virus creation/distribution.

Related Discussions

Related Forums