[LINK] Super fund security breach lands good Samaritan in hotwater

[Richard Chirgwin]

Front page of *four* publications :-)

And there was also some discussion on The Register.

It's worth keeping in mind that Webster first observed the bug during a 
legitimate use of the site - checking his own account. Perhaps his 
proof-of-concept was ill-considered, and he should instead have sent 
instructions to FSS on how to write the script, without running the 
script himself.

Like you, Darren, I am hearing of people reaching for the lawyers 
first-and-foremost. In one case I discussed with a researcher earlier 
this year, the threat came not with disclosure, but merely because the 
researcher tried to report a vulnerability to a company.

RC

On 19/10/11 2:12 PM, Darren Pauli wrote:
> Infosec people tell me legal threats for unauthorised vuln disclosures are
> on the rise, though they can't name names because of NDAs. They reckon some
> of the businesses had paid researchers bug bounties but not before first the
> legal threat.
>
> Here's the letter sent from First State to Webster.
> http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf
>
> Webster had download about 500 accounts using a script. That was then
> supplied to the company.
>
> There's some robust discussion under the stories SC and Risky.Biz covered
> last week. R.B's got the audio interview with First State Super's CEO
> explaining the action.
>
> http://www.scmagazine.com.au/News/276780,security-researcher-threatened-with-vulnerability-repair-bill.aspx
> and
> http://risky.biz/minter
>
> For my 2 cents, I think its a warning that organisations should have a
> policy for vulnerability disclosure. I'm sure they never wanted to be front
> page of three media publications.
>
> Darren Pauli
>
> SC editor
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>