Update 06.18.2007: Additional coverage by of SecurityFocus
Update 06.12.2007: CSI Working Group on Web Security Research Law Report is available. (Reg Req.) As I said below, this is well worth the read and especially important for the web security crowd.
Last year I began talking about how vulnerability "discovery" is becoming more important than disclosure as we move into the Web 2.0 era. Unlike traditional software, web applications are hosted on someone else's servers. Attempts to find vulnerabilities, even with honest intentions, on computers other than your own is potentially illegal. Eric McCarty and Daniel Cuthbert serve as examples as covered by SecurityFocus. Whatever your opinion on the issues, few outside web application security field appreciate the finer points or understand the potential long term affects. People have been listening though.
Starting with Scott Berinato’s The Chilling Effect and most recently Sarah Peters from Computer Security Institute assembled a diverse group of Web security researchers (including myself), computer crime law experts and agents from the U.S. Department of Justice to discuss the situation and create a report. After several collaborative calls and email exchanges amongst the participants, I learned a great deal, but unfortunately left with more concern than I originally started with.
I’ve read the report draft and it’s very well written, Dark Reading has coverage (Laws Threaten Security Researchers) and. I’d like to add that this document should be mandatory reading for everyone in or about to become part of the infosec industry. The final report won’t be posted until next week during CSI where a panel (I’ll be there) is planned to discuss the contents. I’ll update the post then when the link becomes available.