SecurityFocus: What does the current law of your country say about disclosure of security vulnerabilities in software?

(Belgium) Jos Dumortier: There is no specific legal provision in Belgium about disclosure of security vulnerabilities in software. In some cases however, such a disclosure can be considered a criminal act. I am mainly referring to two cases. The first is the crime of "illegal intrusion in information systems" (sometimes called "hacking"). The qualification of this criminal act not only includes the intrusion itself but also "intentionally distributing instruments or data which are mainly conceived to carry out an intrusion".

The second is the crime of "illegal circumvention". This is a rule which has its origin in the European Copyright Directive. Besides the act of circumventing digital rights management software itself, the provision also prohibits the act of intentionally distributing information which enables someone (else) to circumvent DRM systems.

On the other hand, someone who discloses vulnerabilities in software can also be held liable -- if this disclosure causes harm, for instance, to the software vendor. But such liability presumes that the disclosing person has (caused harm) by disclosing the weakness. (Such harm) has to be proven by the other party. Of course, an employee can be held contractually liable for a disclosure if this disclosure has been prohibited by his employment contract. Same with someone who signed an NDA, etc.

(Denmark) Martin von Haller Groenbaek: First off; if you have inside-knowledge regarding such vulnerabilities, e.g. because you work at the software-company making the flawed software, you are not to tell anyone of the vulnerabilities since such vulnerabilities would be considered trade secrets -- and disclosure of trade secrets is punishable with up to one and half years of imprisonment -- and in severe cases with up to 6 years of imprisonment. However, if the vulnerability is not considered a trade secret, e.g. where a user of the software has found the vulnerability, the situation is somewhat different.

If the vulnerability is revealed in a very concrete situation, e.g. if you tell exactly how to use a vulnerability in Internet-banking software -- the person revealing the vulnerability runs the risk of being punished for assisting in a crime -- if the vulnerability is used to commit a crime afterwards. If the disclosure of the vulnerability is less concrete -- disclosure would usually not be punishable by law.

If the disclosure is made by a competitor this would however likely be in conflict with the Danish marketing practices act, and the company disclosing the vulnerability could be fined.

To my knowledge, we only have a single case in Danish law regarding disclosure of vulnerabilities. In the so-called Valus case, a person disclosed in the Computerworld.dk forums that by entering a specific link in your browser you could make the Valus Internet service crash. Valus is an online payment service. He also posted the link itself, but also noted that the link should not be clicked. The person disclosing the vulnerability was acquitted, because it was clear that his disclosure was part of a debate, and he had not intended to crash the Web service. However the persons who actually clicked the link where fined.

(Finland) Ville Oksanen: Finland has currently an extensive set of different crimes pertaining to information technology. The latest additions were made because of the CoE (Council of Europe) cybercrime treaty. However, regarding to full disclosure, there is no explicit provisions on the matter on the law. Finnish Criminal law 34:9aß "Causing danger to computing" may be applicable due to its very widely scope -- the chapter covers both offering code and offering advices, which could be used to disrupt networks or software. However, there is one additional element -- intent. The act is only criminal if the goal of act is to cause harm or damage.

However, the preparation material, which is not binding for courts (but a strong recommendation), of that chapter actually takes a position that publishing a bug is normally OK, even for pressuring a vendor, but that creating code that demonstrates how to use it is not, unless it is produced to be sent to organization like CERT. This seems to imply that full disclosure could be criminal. So far there has not been any court cases relating the matter.

(France) Eric Barbry: Actually, in my opinion, there is no specific text on this question in French law. However, this question could be solved in regard of other regulations, especially criminal law. The French penal code punishes fraudulent access or remain within all or part of an automated data processing system. Moreover, the article 323-3-1 of the criminal code stipulates: "Person who, without lawful authority, imports, possesses, offers, transfers or makes available any equipment, instrument, computer program or information created or specially adapted to commit one or more of the offenses prohibited by articles 323-1 to 323-3, is punished by the penalties prescribed for the offense itself, or the one that carries the heaviest penalty".

Therefore, It seems possible to punish the disclosure of security vulnerabilities in software, on the basis of theses articles if unlawful access has been committed or if the disclosure has been realized in the condition of the article 323-3-1. The risk of prosecution depends on the particulars of the security of the information system which is accessed.

Thus, in a decision of October 2002 [Cour d'Appel de Paris, Tati / Kitetoa, 30 octobre 2002], the Court of appeal of Paris (charged) a journalist who had accessed the information system of Tati. The objective of this journalist was to reveal security vulnerabilities on his website, Kitetoa. The Court did not consider the objective of (gathering) the information to (trump) the offense of intrusion on the information system. However, the Court did consider that the information system was "insufficiently secured" and that the offense of intrusion couldn't be committed on an "insufficiently secured" system.

The other criminal basis to punish disclosure of security vulnerabilities in software is counterfeiting regulations. In a decision of February 2006 [Cour d'appel de Paris 13Ëme chambre, section A. ArrÍt du 21 fÈvrier 2006. Guillaume T. (dit Guillermito) / Eyal D., Tegam International], the Paris Court of Appeals convicted Mr G. for counterfeit ing the Viguard Software. Mr G was interested in software vulnerabilities, and he disclosed on internet vulnerabilities of the Viguard software. The problem is that Mr G wasn't (the owner) of a license on the software and that he copied and disassembled certain elements of the software to publish them on Internet.

In the other cases, It will be more difficult to punish a disclosure, excepted if this disclosure is a violation of business secrets or an act of unfair competition.

(Germany) Marco Gercke: Marco gave a detailed interview to SecurityFocus and talked about vulnerability disclosure.

(Greece) Irini Vassilaki: Greek law does not explicitly prohibit the disclosure of vulnerabilities in software. The only provision that could cover this issue is Art. 370C par. 2 of the Greek criminal code that punishes hacking. This normally punishes the access to data that are stored in a computer system or are transported via telecommunications networks. The act must be committed "without right". This is especially the case when the access takes place through the violation of security measures, which have be taken by the owner or other right holder of the system.

There is no case law according the interpretation of Art. 370C par. 2 GrCC. According the legal literature "without right" is every activity that takes place without the authorization of the right holder of the system. Therefore, any interference with the software that could (result in) the disclosure of vulnerabilities and occurs beyond such authorization takes place "without right".

For the prosecution of this offense, a complaint is required. I cannot imagine, however, that the disclosure of the vulnerabilities of software will be reported to the police by the right holder. This would have as result that the "weak parts" of the software would be public and this would have negative consequences for the right holder.

(Hungary) Ferenc Suba: Before you disclose a security vulnerability in software, you should ask yourself a couple of questions to clarify the legal consequences of your action in Hungary. First you should validate, whether the information you give to the public is correct. If you publish incorrect vulnerability information, you may be liable for damages according to civil law, because you have damaged the reputation of the software producer.

Having checked that, you should pose the question whether the disclosure hurts the rights or legitimate interests of the software producer, any other third person or the public order. Concentrating on the software producer, you will not infringe any portion of this copyright or patent rights -- in case of computer implemented inventions -- if you limit the disclosure to the vulnerability itself and you do not extend the publication to the parts of the software that are protected by the Copyright Act, the Patent Act or even the Penal Code.

If you look at third parties and public order, it is always important to show that you are acting in good faith, i.e. you are not disclosing the vulnerability to enable others to commit a crime against information systems, since it would fall under a crime regulated in the Penal Code. This can be done by attaching a patch information to the vulnerability.

Having paid attention to the above, you can be sure that the disclosure will be a legal one and in conformity with the relevant provisions of civil and penal laws of Hungary. Moreover, the legal disclosure of security vulnerabilities in softwares can be seen as an action that supports the fulfillment of regulatory requirements laid down in the Data Protection Act (in respect to data protection), the Act on Credit Institutions (in respect to the protection of their information systems), the Act on Electronic Communications (in respect to the protection of the electronic communication and information systems), and the Government Decree on the National Security Supervisory Authority (in respect to the electronic security of the institutions falling under the scope the authority).

(Ireland) TJ McIntyre: We have no law in this area as of yet. It is possible that possession of hacking tools or a crack or exploit code might amount to the offense of possession of an item with intent to damage property (note that property includes data). It is also possible that the method used to discover a vulnerability might itself amount to a crime under s.5 CDA 1991 or s.9 Criminal Justice (Theft and Fraud Offences) Act 2001. There may also be contractual or licence provisions which restrict a user's ability to disclose vulnerabilities. Otherwise though this area is a blank slate.

(Italy) Gabriele Faggioli: No legal measure exists in our ordinance that specifically refers to vulnerabilities and/or exploits. However, some norms do exist that abstractly can be considered applicable to research and the publication of vulnerability and/or exploits. First of all, it is important to consider that research into vulnerabilities related to operating systems and applications is not always be considered a legal activity. With reference to proprietary software -- with closed-source code -- precise norms are defined by the law on copyrights (Law n. 633 of 22nd April 1941 and subsequent modifications). On the one hand, (the laws) allow the legitimate owner of a copy to observe, study or subject operation of the program to a test, with the objective of establishing the ideas and principles upon which each element of the program is based -- if such activities are performed during the loading, visualization, execution, transmission or storage operations of the program. On the other hand, the possibility of performing de-compilation operations are limited to special cases, such as the achievement of inter-operability with other programs.

Implemented in accordance with the law on copyrights, research and the subsequent publication of vulnerabilities related to a software is not illegal as long as some specific details are adopted. In particular, the person that discovers the vulnerabilities should inform the manufacturer of the program that the vulnerability refers to, in advance in order to allow him to create a "patch" before any possible publication. In the absence of this prior transmission of information, the individual that has disseminated the vulnerability may be called upon to compensate, on a civil level, damages caused by third parties due to the effect of its publication. This behavior may be considered contrary to the principle of good faith, as such damages, even if they are involuntary, generated indirectly by the integral publication of vulnerabilities, could have been avoided or limited through a much more diligent behavior by the person in charge of their diffusion.

Another topic applies to research of vulnerability that refers to specific information technology systems implemented by third parties -- for example by a company. These research activities may integrate the abusive computer access crime regulated by article 615/ter of the penal code if used, for example, through penetration tests not authorized by the company. The norm indicated, in reality, specifically punishes the behavior of anybody that illegally enters a computer system protected by safety measures or remains in the system against the specific desire of whoever has the right to exclude him, and the crime can be punishable as a pure attempt. The subsequent publication of vulnerabilities may, in this case, have an independent penal importance. Article 615/quarter of the penal code ("Abusive detention and diffusion of access codes to computer or remote systems") considers it a crime for an individual who, with the objective of creating profit for himself or for others or creating damages to others, illegally obtains, reproduces, diffuses, communicates or delivers codes, passwords or other suitable means for access to a computer or remote system, protected by safety means, or provides indications or instructions suitable for the aforementioned purposes.

With reference to the publication of exploits (or programs/codes created to take advantage of a previously identified vulnerability), article 615 of the penal code may be used as it punishes the diffusion, communication or delivery of programs whose objective or whose effects include damage to a computer or remote system or alteration of its operation. This norm, traditionally associated with the diffusion of computer viruses, may be applied to the publication of exploits that may result in alterations to the computer system whose vulnerabilities are exploited.

Despite the aforementioned norms examined, considered to be abstractly applicable to the publication of vulnerability and exploit, no ruling has yet been issued by Italian judges on a concrete case. At the same time, no intervention has been planned by our legislators in order to regulate this topic.

(Poland) Tomasz Rychlicki: Polish Law of February 4, 1994, on Copyright and Neighboring Rights (in Polish: ustawa o prawie autorskim i prawach pokrewnych) allows -- unless otherwise provided in the contract -- for acts such as reproducing the program in its entirety or in part, either permanently or provisionally, where the loading, display, running, transmission or storage of a computer program calls for such reproduction, if they are necessary for the lawful acquirer to be able to make use of the program according to its intended purpose, including the correction of errors (article 74, sec. 4(1) and article 75, sec. 1).

The following acts shall not require authorization: analysis and study of and experimentation with the operation of the computer program by the lawful acquirer in order to ascertain its underlying ideas and principles, if the person concerned performs the above acts at the time of the operations associated with the loading, display, running, transmission or storage of the computer program (article 75, sec. 2(2)).

As you can see there isn't any prohibition on publishing your discoveries in copyright law, but we also have the Polish Penal Code (in Polish: Kodeks Karny) and the highly criticized Doctrine Article 269b, which prohibits creating, acquiring, selling or making available to other persons devices, computer software, passwords, codes or other data which allows access to information stored in computer system or network.

Article 269b of the Polish Penal Code penalizes an act of a person who produces, acquires, sells or makes accessible for other persons devices or computer programs and also computer's passwords, access codes or other data, that enable access to information stored in computer system or telecommunication network. Such person can be sentenced up to 3 years of imprisonment. Hacking is not defined in the Polish Penal Code.

However article 269b contains undefined term such as "other data" which is contradictory to one of the main criminal law principles -- "in dubio pro reo" -- all doubts should be decided in a favor of defendant.

What is more important, Article 269b of the PPC is an example of an incorrect implementation of the Council of Europe Convention on Cybercrime (article 6 sec. 2) which clearly allows production, sale, procurement for use, import, distribution or otherwise making available or possession of devices computer programs computer passwords, access codes, or similar data that are use not for the purpose of committing an offense established by the Convention. For example: for the authorized testing or protection of a computer system.

There is no definition of "authorized testing" but it may be presumed that every legitimate user of computer program is entitled to such actions. In European Union countries this presumption is supported by provision included in the Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs.

So, as you can see, you can publish any kind of vulnerability in Poland and Europe (and in any country which is a party of CoE CoC). There is also another very important issue with the national legislation as regards to the Council of Europe Convention on Cybercrime, which 21 countries signed including the U.S.A.

When the national legislation which implements the CoC is improperly implemented and a person is charged based on those national regulation's provisions he/she has always the right to challenge it before the European Court of Human Rights. The court will always follow the Convention's text.

(Romania) Bogdan Manolea: The Romanian cybercrime law does not rule specifically on the disclosure of security vulnerabilities in software. From a theoretical point of view this might be considered, depending on the circumstances of the case of course, as an "aiding and abetting" of the crime of illegal access to a computer system (see art. 42, especially point b) and could be prosecuted in a penal case.

If the disclosure is directly linked also with an unauthorized entry in a computer system by the same person, then this is a crime according with art. 42, Law 161/2003. There are no court rulings that I know on this matter and I don't know of any resource on the Internet especially in this topic (in Romanian or about Romania).

Writing an exploit is a crime under article 46, but only if it can be used in (only) an illegal way... If we have an exploit that can be used in a legal way, then there is no punishment for producing or sharing it.

Article 46

(1) The following are considered criminal offenses and punished with imprisonment from 1 to 6 years.

1. the production, sale, import, distribution or making available, in any other form, without right, of a device or a computer program designed or adapted for the purpose of committing one of the offenses established in accordance with arts. 42-45;
2. the production, sale, import, distribution or making available, in any other form, without right, of a password, access code or other such computer data allowing total or partial access to a computer system for the purpose of one of the offenses established in accordance with arts.42-45;

(2) The possession, without right, of a device, computer program, password, access code or computer data referred to at paragraph (1) for the purpose of one of the offenses established in accordance with arts.42-45 is also punished similarly.

Anyway, this is a theoretical discussion -- in practice the Romanian cybercrime police are so busy with the phising cases, they won't have time for such a minor crime.

(UK) Peter Sommer: There is no specific provision in English Law, but if the discloser is in a contractual relationship with the supplier, the contract may seek to ban reverse engineering or impose a duty of confidentiality. In those circumstances the supplier could resort to civil proceedings.

The only obvious criminal route might be via "incitement" -- that is that by publicizing the breach others were being encouraged to take advantage. But the prosecutor would need to demonstrate "intent"; and the discoverer of the flaw could almost certainly say that the intent was to make the product secure, not to take advantage. I think that UK authorities would be reluctant to prosecute in these circumstances.

On the whole, if a flaw is discovered in your product, you would do better to rectify it, rather than going to the law. There is perhaps one further aspect of the law to consider: the means by which the security flaw was uncovered. The Council of Europe Cybercrime Treaty (to which the USA is a signatory),includes provisions against the use of "anti-hacking" tools. If you have uncovered a flaw using certain techniques and that publicize the results you may, in certain circumstances, be admitting to breaking the law!