It may be the protection and peace of mind that Web application security researchers have been waiting for: PayPal's new vulnerability disclosure policy states that the company won't take any legal action against a researcher who properly follows its procedure for reporting bugs in its software. (See Laws Threaten Security Researchers).
"I would certainly hope it's the start of a trend," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who blogged on this development late yesterday. Grossman says there have been other signs of hope lately as well for freeing Web app security researchers to do their work without the worry of legal implications: a Microsoft panelist last week at the OWASP and Web Application Security AppSec 2007 Conference said the company wouldn't take action against anyone who finds bugs in its Websites. "But Microsoft has not gone so far as to document that publicly like PayPal," Grossman says.
Web application security researchers don't have the freedoms of other security researchers, who for the most part work unrestricted in their efforts to search for bugs in operating systems, device drivers, or other apps via their own machines. Computer security laws make looking for vulnerabilities on live Web servers dangerous legal territory, and the laws aimed at protecting companies from attackers have also inadvertently hurt researchers in this space.
Grossman says PayPal's policy may well be the first to guarantee Web researchers protection when they responsibly report a vulnerability to the company. PayPal's policy says, in part: "To encourage responsible disclosure, we commit that -- if we conclude that a disclosure respects and meets all the guidelines outlined below -- we will not bring a private action or refer a matter for public inquiry."
Kelly Jackson Higgins, Senior Editor, Dark Reading