undefined | Better HN

0 pointshedora5y ago0 comments

It doesn’t seem hard to get right:

If someone discovers a security vulnerability in a computer system, and they notify the operator or party responsible for maintenance of the system, then, starting 90 days after the notification was received, they may publicly disclose the vulnerability without fear of civil or legal repercussions.

If they use the vulnerability to exploit a system that is outside of their own administrative control (beyond developing a proof of concept), or transfer the information with intent to facilitate third party exploitation of the vulnerability, then the above protections do not apply.

I’m sure a lawyer worth their salt could turn that into an iron-clad law.

0 comments

2 comments · 1 top-level

ceejayoz5y ago· 1 in thread

This is a good example of how laws can be difficult to craft; your proposed legislation wouldn't cover this case.

It wasn't the public disclosure Chase retaliated over here. The disclosure came after the retaliation.

Schiendelman5y ago

That’s why you have to create a disclosure system that incentivizes use. It’s very difficult to protect someone who has not come forward.

j / k navigate · click thread line to collapse