Quote Quoting Losik
View Post
Imagine the following situation: I found security vulnerability on a website. The website can be totally destroyed; the data can be stolen and so on. I'm not going to do any of this, of course. I want to notify the owner of the website. But simultaneously I want to publish an article about this particular security vulnerability. So I have two long questions:

1) e.g. I sent the notification to the owner on 12.01.2010. The owner has not fixed the problem till 12.15.2010 - when I published the article. Some unknown guy read the article and ruined the site on 12.16.2010. Am I responsible? Is 2 weeks time frame reasonable?
If you publish an article for anyone to read that details how to attack the website, damn skippy you're responsible. 2 weeks? Around the friggin holidays? Did it ever occur to you it might take the owner longer than that to either a. contact the original website developer or b. find someone else to come in and fix it?

Quote Quoting Losik
View Post
2) Regarding the notification to the owner. OK, I see the problem. I understand it. But if I tell to a regular online store something like “Hey, you have nginx null pointer dereference” – it says nothing to him. In order to be understood I can (theoretically) upload a file to his website to create a page hiswebsite.com/it_is_a_problem.html. That would be a proof even business people can understand. And it’s harmless. But isn’t it illegal?
Yes, it is probably illegal in some jurisdictions in the sense you can be sued. Criminally? Without knowing a specific jurisdiction, can't say.