404 Tech Support

Disclosing software vulnerabilities isn’t against the EULA?

Software is just a compiled bunch of code but it represents ingenuity, innovation, effort and time. It is also a very interesting product. When you purchase software, the software is licensed to you, not sold. The Terms of Service and End User License Agreement can do some pretty interesting things such as disallowing participation in a class action lawsuit and requiring arbitration instead. So, why, Hal Berenson wonders over on his blog, are software developers not putting in a clause to prevent disclosing exploits to third parties or requiring that they be disclosed to the vendor?

The software vulnerability market is a rapidly changing place with some companies paying out “bug bounties”, others relying on ethics and responsible disclosure, and the bad actors who pay for vulnerabilities to be used by malware. Some of the controversy of the vulnerability market spilled with this weekend’s Washington Post where some are calling for government regulation in this controversial industry.

At the star of the story is Vupen, a company that demonstrated vulnerabilities at this year’s Pwn2Own but didn’t disclose the details to Google, thus foregoing the prize money. Vupen chief executive later stated that they were reserving the knowledge for their customers, who are supposedly government entities that are members of NATO or allies.

If disclosing vulnerabilities were made against the EULA, it would give companies a contractual leg to stand on, much easier than internationally trying to get laws and regulation passed. Of course, “if you outlaw guns, only outlaws will have guns” comes up with its own “if you make disclosing vulnerabilities against the agreement, only those breaking the agreement will disclose vulnerabilities.” Germany has prohibited the sale or disclosure of vulnerabilities for free and the US Commerce Department already regulates the sale of software and exploits that relate to cryptography.

Of course, any proposed solution would eventually have to go through the courts in order to figure out what can stand. Could writing code to exploit a vulnerability be considered free speech?

(via Hal’s (Im)Perfect Vision)