Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it possible to get into legal trouble for identifying vulnerabilities in a web application even if you don’t exploit them?
I have considered using tools like NetSparker on occasion to see if a site has any vulnerabilities and I’d like to contact the owner of the site to see if they’d be interested in me fixing it. I suspect that some of these people might get angry or misinterpret my intentions and I’m curious if I could get into any trouble for simply finding these security issues.
If you are looking for vulnerabilities in open source software or commercially distributed software and you are a US citizen you are protected by the 1st amendment. It is legal for you to write exploit code and do whatever you want (as long as it isn’t selling it to terrorists/the mob). If you do find a flaw, report it to BugTraq and put it on your resume. I have racked up a lot of CVE numbers over the years and I actively write exploit code.
In Germany and France the laws are a bit different, the possession of “hacking tools” like exploit code or even NMAP can land you in jail. You might also be interested in the laws of full disclosure.
On the flip side, if you go around scanning people’s web sties looking for vulnerabilities you are breaking the law and the FBI will investigate you. Do not look for vulnerabilities in random websites without the owners permission.