Why “white hat” hackers – who cyber security experts argue are vital to security research – are sometimes leery of reporting vulnerabilities.
…according to Parsons, reporting those findings to vendors risks bringing on defamation or SLAPP (Strategic Litigation Against Public Participation) suits – a long and costly legal endeavour.
“Let’s say you discovered that there was vulnerability in something the CRA was running separate to Heartbleed – the CRA purchased that from a vendor, so the vendor would have an interest in that not becoming public because it could damage them,” he said.
“They will say if you disclose this we will sue you – and it might be a SLAPP case, but unless you are well-off financially the cost of defending yourself against a SLAPP suit could cost hundreds of thousands of dollars.”
Global News contacted Shared Services Canada, the agency responsible for IT infrastructures for all government departments, for comment regarding whether outside researchers would be allowed to report vulnerabilities found within government websites without risking legal action.
Shared Services Canada did not immediately respond to a request for comment.
The chilling effect of vulnerability disclosure stems from potential legal liability for reporting vulnerabilities to software vendors. While it’s often (though not always) the case that technical staff understand the problems and may work to mitigate them, things can go to hell pretty quickly once non-technical staff such as legal or public relations get involved.
In effect, the incentive model for White Hats to come forward to help the commons of software users breaks down incredibly quickly in the face of harsh penalties for individuals ‘breaking digital locks’ or found to violate terms of service, penalties that corporate vendors can (and do) leverage in order to maintain their public reputations.