Full disclosure has a long tradition in the security community worldwide, yet different European countries have different views on the legality of vulnerability research. SecurityFocus contributor Federico Biancuzzi investigates the subject of full disclosure and the law by interviewing lawyers from twelve EU countries: Belgium, Denmark, Finland, France, Germany,Greece, Hungary, Ireland, Italy, Poland, Romania, and the UK.
SecurityFocus: What does the current law of your country say about disclosure of security vulnerabilities in software?
(Belgium) Jos Dumortier: There is no specific legal provision in Belgium about disclosure of security vulnerabilities in software. In some cases however, such a disclosure can be considered a criminal act. I am mainly referring to two cases. The first is the crime of "illegal intrusion in information systems" (sometimes called "hacking"). The qualification of this criminal act not only includes the intrusion itself but also "intentionally distributing instruments or data which are mainly conceived to carry out an intrusion".
The second is the crime of "illegal circumvention". This is a rule which has its origin in the European Copyright Directive. Besides the act of circumventing digital rights management software itself, the provision also prohibits the act of intentionally distributing information which enables someone (else) to circumvent DRM systems.
On the other hand, someone who discloses vulnerabilities in software can also be held liable -- if this disclosure causes harm, for instance, to the software vendor. But such liability presumes that the disclosing person has (caused harm) by disclosing the weakness. (Such harm) has to be proven by the other party. Of course, an employee can be held contractually liable for a disclosure if this disclosure has been prohibited by his employment contract. Same with someone who signed an NDA, etc.
(Denmark) Martin von Haller Groenbaek: First off; if you have inside-knowledge regarding such vulnerabilities, e.g. because you work at the software-company making the flawed software, you are not to tell anyone of the vulnerabilities since such vulnerabilities would be considered trade secrets -- and disclosure of trade secrets is punishable with up to one and half years of imprisonment -- and in severe cases with up to 6 years of imprisonment. However, if the vulnerability is not considered a trade secret, e.g. where a user of the software has found the vulnerability, the situation is somewhat different.
If the vulnerability is revealed in a very concrete situation, e.g. if you tell exactly how to use a vulnerability in Internet-banking software -- the person revealing the vulnerability runs the risk of being punished for assisting in a crime -- if the vulnerability is used to commit a crime afterwards. If the disclosure of the vulnerability is less concrete -- disclosure would usually not be punishable by law.
If the disclosure is made by a competitor this would however likely be in conflict with the Danish marketing practices act, and the company disclosing the vulnerability could be fined.
To my knowledge, we only have a single case in Danish law regarding disclosure of vulnerabilities. In the so-called Valus case, a person disclosed in the Computerworld.dk forums that by entering a specific link in your browser you could make the Valus Internet service crash. Valus is an online payment service. He also posted the link itself, but also noted that the link should not be clicked. The person disclosing the vulnerability was acquitted, because it was clear that his disclosure was part of a debate, and he had not intended to crash the Web service. However the persons who actually clicked the link where fined.
(Finland) Ville Oksanen: Finland has currently an extensive set of different crimes pertaining to information technology. The latest additions were made because of the CoE (Council of Europe) cybercrime treaty. However, regarding to full disclosure, there is no explicit provisions on the matter on the law. Finnish Criminal law 34:9aß "Causing danger to computing" may be applicable due to its very widely scope -- the chapter covers both offering code and offering advices, which could be used to disrupt networks or software. However, there is one additional element -- intent. The act is only criminal if the goal of act is to cause harm or damage.
However, the preparation material, which is not binding for courts (but a strong recommendation), of that chapter actually takes a position that publishing a bug is normally OK, even for pressuring a vendor, but that creating code that demonstrates how to use it is not, unless it is produced to be sent to organization like CERT. This seems to imply that full disclosure could be criminal. So far there has not been any court cases relating the matter.