20140608

Legal Threats Against Security Researchers

How vendors try to save face by stifling legitimate research

It has been clear for years that businesses have dropped ethics in favor of profit. Protecting the bottom line is usually more important than doing the right thing, even if it means providing a better product to their customers. Companies fear negative publicity, especially if said publicity challenges the security of their products. It doesn't matter that just about every company and product ships with numerous vulnerabilities, and adding security is a band-aid solution rather than an integral part of the development life cycle. Rather than work with researchers who are frequently providing what would otherwise be high-dollar specialized consulting for free, some companies opt to go take the muddy road and pursue legal action against the researchers. This action is one of desperation and attempts to silence and stifle legitimate research and free speech. Invariably, this ends up being a huge negative PR move, much worse than what would occur with the publication of said research without the legal murk.

Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will go a lot farther toward building customer confidence and help avoid negative publicity...

http://attrition.org/errata/legal_threats/

No comments:

Post a Comment