Quantifying the Pressure of Legal Risks on Third-Party Vulnerability Research (ACM CCS 2017 Paper)
Disclosing vulnerabilities can create labor costs and result in brand damage for product owners, and this tension at times leads to adversarial relationships form between the developer and researcher community. No software is without flaws, and products routinely ship with security vulnerabilities later discovered by third-party auditors. The challenge to these audits follows U.S. law, which provides legal theories that developers are able to leverage to oppose third-party security research.
The potential for conflict between the objectives of product vendors and vulnerability researchers is of concern to the broader academic community. In this study, we investigate the underlying dissuasion (or "chilling effects") of rigorously evaluating product security, following known threats of litigation by product manufacturers, using two instruments:
1) Canvassing a range of product companies for permission to assess their security levels in an attempt to examine support of independent security research within the software vendor community,
2) Implementation of an online sentiment survey to capture any concerns or experience with legal threats that impact researcher inclination toward rigorous assessment.
Surveying over 100 vulnerability researchers and 75 companies, two highlights are as follows: most product manufacturers loathe surrendering legal recourse to third-party vulnerability researchers, and the distinction in responsiveness toward academic versus independent security researchers is significant; legal issues and retaliation are a significant concern to many vulnerability researchers, and over a fifth of participants reported being threatened by product vendors. Results revealed that some companies have concrete vulnerability disclosure policies that can implicitly encode safe harbors for researchers who follow disclosure requirements, however, indications illustrate a minority of companies contacted were willing and able to present such terms when asked for permission. Additionally, academic researchers were three to five times more likely to receive a response over independent researchers.
Blog post by David Arias, edited by Alexander Gamero-Garrido