The Laws of Full Disclosure

I added a really interesting article (from Security Focus) to my Interesting News feed. If you are new to my Blog or News Feed, please check it out. I add stories/content I find interesting.

The Article: The Laws of Full Disclosure

Summary: A Security Focus contributor researches the legality of disclosing vulnerability information to the public in twelve European countries.

• Belgium - Illegal with Conditions - Full Disclosure of vulnerability information is proved to have causes harm to the vendor, is proved to be written for the sole purpose of an intrusion (hacking), or is proved to have been a breach of a employment contract/non-disclosure agreement.
• Denmark - Illegal with Conditions - If you are an employee or contractor for the software development company, vulnerabilities are considered "trade-secretes". Release details instructions to exploit the vulnerability can be considered "assisting in a crime." A competing software company would be fined for release such information.
• Finland - Proof of Concept Illegal with Conditions - Concept code can only be prepared for a CERT.
• France - Mostly Legal - Only illegal when you use the attack or share confidential/proprietary information.
• Germany - Legal
• Greece - Legal
• Hungary - Legal with Conditions - If the information you release is incorrect you can be held liable for damages. It cannot violate patent of copyright clauses.
• Ireland - No Laws - Having "tools" that can result in an intrusion could be a crime, but disclosing vulnerabilities is an uncharted area.
• Italy - Legal with Conditions - You can not decompile code, unless working on interoperability.
• Poland - Legal
• Romania - Illegal with Conditions - If the information is used in an intrusion. In addition writing exploit code is illegal.
• UK - Legal

Four out of the twelve countries have laws that make it illegal to release vulnerability/security information. Three enforce constrictions on the disclosure. Leaving only four countries that allow disclosure (with the last country being neutral).

Comments: This article causes me great concern. I find it absurd that in the year 2008, with the average person starting to think about security, that we would be limiting research. Obviously the only way to secure software is to test it, and then release the information you find. If they disallow people to disclose the information the vendor may never know about the issue, let alone fix it! If they do allow disclosure to the vendor but not the public, then you fall in the issue with vendors ignoring security concerns. Or worse the users never knowing their at risk. Reasonable Disclosure verse Full [Public] Disclosure have been a debate of the security community for all of time, and both have a time and place, but out right criminalizing disclosure and research is insane. I really hope these laws are reviewed.

Leave your comments in the comment section, and if you feel so inclined (and live in one of these areas, contact your government and let them know your concerns).