The Article: The Laws of Full Disclosure
Summary: A Security Focus contributor researches the legality of disclosing vulnerability information to the public in twelve European countries.
- Belgium - Illegal with Conditions - Full Disclosure of vulnerability information is proved to have causes harm to the vendor, is proved to be written for the sole purpose of an intrusion (hacking), or is proved to have been a breach of a employment contract/non-disclosure agreement.
- Denmark - Illegal with Conditions - If you are an employee or contractor for the software development company, vulnerabilities are considered "trade-secretes". Release details instructions to exploit the vulnerability can be considered "assisting in a crime." A competing software company would be fined for release such information.
- Finland - Proof of Concept Illegal with Conditions - Concept code can only be prepared for a CERT.
- France - Mostly Legal - Only illegal when you use the attack or share confidential/proprietary information.
- Germany - Legal
- Greece - Legal
- Hungary - Legal with Conditions - If the information you release is incorrect you can be held liable for damages. It cannot violate patent of copyright clauses.
- Ireland - No Laws - Having "tools" that can result in an intrusion could be a crime, but disclosing vulnerabilities is an uncharted area.
- Italy - Legal with Conditions - You can not decompile code, unless working on interoperability.
- Poland - Legal
- Romania - Illegal with Conditions - If the information is used in an intrusion. In addition writing exploit code is illegal.
- UK - Legal
Comments: This article causes me great concern. I find it absurd that in the year 2008, with the average person starting to think about security, that we would be limiting research. Obviously the only way to secure software is to test it, and then release the information you find. If they disallow people to disclose the information the vendor may never know about the issue, let alone fix it! If they do allow disclosure to the vendor but not the public, then you fall in the issue with vendors ignoring security concerns. Or worse the users never knowing their at risk. Reasonable Disclosure verse Full [Public] Disclosure have been a debate of the security community for all of time, and both have a time and place, but out right criminalizing disclosure and research is insane. I really hope these laws are reviewed.
Leave your comments in the comment section, and if you feel so inclined (and live in one of these areas, contact your government and let them know your concerns).