论文信息 - Quantifying the Pressure of Legal Risks on Third-party Vulnerability Research

Quantifying the Pressure of Legal Risks on Third-party Vulnerability Research

Product vendors and vulnerability researchers work with the same underlying artifacts, but can be motivated by goals that are distinct and, at times, disjoint. This potential for conflict, coupled with the legal instruments available to product vendors (e.g., EULAs, DMCA, CFAA, etc.) drive a broad concern that there are "chilling effects" that dissuade vulnerability researchers from vigorously evaluating product security. Indeed, there are well-known examples of legal action taken against individual researchers. However, these are inherently anecdotal in nature and skeptics of the chilling-effects hypothesis argue that there is no systematic evidence to justify such concerns. This paper is motivated by precisely this tussle. We present some of the first work to address this issue on a quantitative and empirical footing, illuminating the sentiments of both product vendors and vulnerability researchers. First, we canvas a range of product companies for explicit permission to conduct security assessments and thus characterize the degree to which the broad software vendor community is supportive of vulnerability research activities and how this varies based on the nature of the researcher. Second, we conduct an online sentiment survey of vulnerability researchers to understand the extent to which they have abstract concerns or concrete experience with legal threats and the extent to which this mindset shapes their choices.

[1] T. Hazlett,et al. Was The Fairness Doctrine A “Chilling Effect”? Evidence from the Postderegulation Radio Market , 1997, The Journal of Legal Studies.

[2] Eric Rescorla,et al. Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[3] Dirk Grunwald,et al. Legal Issues Surrounding Monitoring During Network Research (Invited Paper) , 2007 .

[4] Dirk Grunwald,et al. Legal issues surrounding monitoring during network research , 2007, IMC '07.

[5] Michael X. Delli Carpini. In the Matter of exemption to prohibition on circumvention of copyright protection systems for access control technologies , 2008 .

[6] Aaron J. Burstein. Amending the ECPA to Enable a Culture of Cybersecurity Research , 2008 .

[7] Mitchell Silberberg,et al. Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies , 2012 .

[8] David A. Wagner,et al. An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[9] Candice Hoke. Comment with the Copyright Office Regarding a Proposed Exemption Under 17 U.S.C. Section 1201 for Software Security Research (Class 25) , 2015 .

[10] Lillian Ablon,et al. Zero Days, Thousands of Nights , 2017 .

[11] M. R. Kerbel. What About Us? , 2018, Remote & Controlled.