Presentation is loading. Please wait.

Presentation is loading. Please wait.

Legal challenges related to software vulnerability disclosure

Published byJacob Booth Modified over 6 years ago

Similar presentations

Presentation on theme: "Legal challenges related to software vulnerability disclosure"— Presentation transcript:

1 Legal challenges related to software vulnerability disclosure
Andriani Ferti CEPS, 23 June 2017

2 Characteristics of software vulnerabities disclosure
Dual nature of security information The same information required to correct vulnerabilities also allows for more widespread exploitation of these vulnerabilities

3 Disadvantages of software vulnerability disclosure
Public relations nightmare for software vendors In several instances, the seriousness of the issue is either over- or understated Public disclosure may give a window of opportunity to hackers to exploit vulnerability before the patch is deployed

4 Advantages of software vulnerability disclosure
Disclosure can be critical and can indeed be of help Wannacry is a telling example Microsoft was informed through a disclosure about the vulnerability, and deployed an emergency patch in March Researchers also helped develop the kill switch (that slowed down the spread of infection) and ways to recover harmed files Under certain circumstances, disclosure should be encouraged

5 Issues to consider Software vulnerability disclosure is complex and involves many stakeholders Software vendors Independent researchers Governments Actual users and the general public Numerous questions need to be addressed When should disclosure happen? What information should be disclosed? In what format? To whom should it be disclosed?

6 Relevant legislation Intellectual property Export control
Copyright Trade secrets Patents Trademarks Export control Cyber criminal law Data protection

7 Copyright claims Claim that information disclosed include portion of software code, and thus infringe vendor’s copyright Activities involved with vulnerability disclosure may interfere with © holders‘ right to prevent circumvention of DRM technology applied on the software

8 Existing exemptions under copyright law
Reproduction of the code and translation of the form for the purposes of achieving interoperability However, information obtained through this reverse engineering can only be used for interoperability purposes Use of a copy in order to observe, study, or test the functioning of the program to determine its ideas and principles If disclosure involved reproduction, it would not be allowed Note: In the US, the DMCA provides for a security testing exception This is however considered to be narrow, and academics call for legal reforms

9 Trade secret claims Software vendor claims a trade secret infringement
Particularly important and a bit more complex in case the independent researcher has previously worked for the vendor as an employee or a consultant The vendor then can possible claim that his prior knowledge led him to his discovery

10 Trade secret exceptions
Recently adopted Trade Secrets Directive Under trade secret law, reverse engineering would be considered as a means leading to lawful acquisition of trade secrets Explicitly stipulated in the Directive Nonetheless, vendors can restrict the right under the EULA This is usually the case

11 Patent claims and patent law
Needless to address patentability of software under EU law in this context Computer-implemented inventions can in certain cases be patentable The law does not provide for an exception that would be applicable in the circumstances we are looking at Aborted draft CII Directive included an exception for reverse engineering for interoperability purposes

12 Trademarks Claim by vendors that disclosure infringes on their trademarks Such claim is less likely to prevail Arguably the use of the trademark is necessary for making the disclosure and there is no intention to confuse the consumers

13 Export control regulation
What is export control? 2015 amendment to Wassenaar Arrangement Applicable also to “intrusion software offered for sale” Would this also cover bug bounty programmes? Zero-day exploits? Not yet part of the EU legislation, but included in the EC proposal of September 2016, and currently discussed by EP and Council

14 Cyber criminal law Illegal access to a computer system may constitute a criminal offence if committed intentionally Are Member Sates responsible in such instances – as well as the public prosecutors – to provide guidance as to what constitutes an offence under these circumstances and what’s not?

15 Data protection Let’s not forget about the protection of personal data
What happens if the researchers also gets access and processes personal data of the users?

16 Outstanding questions
Is there a need to reform the existing law? E.g., copyright law? How you ensure that any proposed exception is not misused by researchers? How do you clearly define it? Do you give some sort of “safe harbour” to the researcher? If reform not necessary, how do you encourage disclosure where it would have positive effects? How do you complement all this with raising user awareness? Developing and deploying patches Proper system maintenance

Download ppt "Legal challenges related to software vulnerability disclosure"

Similar presentations

Intellectual Property Image: William J. Wynn.

Intellectual Property Image: William J. Wynn.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Lecture 20 Legal and Ethical Aspects modified from slides of Lawrie Brown.

Lecture 20 Legal and Ethical Aspects modified from slides of Lawrie Brown.
By: Vihar R. Patel VRP Law Group, 201 E. Ohio Street, Suite 304, Chicago, IL 60611 P: 312-854-7090, F: 312-376-8751, Web:

By: Vihar R. Patel VRP Law Group, 201 E. Ohio Street, Suite 304, Chicago, IL P: , F: , Web:
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
The Health and safety Act, is an act to make further provision for securing the health and safety and welfare of persons at work.For protecting others.

The Health and safety Act, is an act to make further provision for securing the health and safety and welfare of persons at work.For protecting others.
Information Systems Unit 3 – Outcome 3 Legal Obligations of Programmers Student Lecture.

Information Systems Unit 3 – Outcome 3 Legal Obligations of Programmers Student Lecture.
Legislation in ICT.

Legislation in ICT.
Higher Administration and IT Administrative Practices.

Higher Administration and IT Administrative Practices.
Copyrights1 By Saud Al-Harbi & AbdulAziz Al-Shamrani.

Copyrights1 By Saud Al-Harbi & AbdulAziz Al-Shamrani.
Intellectual Property Boston College Law School February 4, 2009 Copyright – Indirect, Digital Issues.

Intellectual Property Boston College Law School February 4, 2009 Copyright – Indirect, Digital Issues.
Foundations of IT Legal Issues and IT – Social Needs?

Foundations of IT Legal Issues and IT – Social Needs?
P A R T P A R T Crimes & Torts Crimes Intentional Torts Negligence & Strict Liability Intellectual Property & Unfair Competition 2 McGraw-Hill/Irwin Business.

P A R T P A R T Crimes & Torts Crimes Intentional Torts Negligence & Strict Liability Intellectual Property & Unfair Competition 2 McGraw-Hill/Irwin Business.
Software Protection & Scope of the Right holder Options for Developing Countries Presentation by: Dr. Ahmed El Saghir Judge at the Council of State Courts.

Software Protection & Scope of the Right holder Options for Developing Countries Presentation by: Dr. Ahmed El Saghir Judge at the Council of State Courts.
Professional Ethics for Computer Programmers

Professional Ethics for Computer Programmers
Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.

Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.
Cryptography and Network Security Chapter 23 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 23 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
LEGAL TECH 2013 Seminar Series BioTech and IP: Protecting A Valuable Asset About The LEGAL TECH 2013 Series It’s a regulated world out there, especially.

LEGAL TECH 2013 Seminar Series BioTech and IP: Protecting A Valuable Asset About The LEGAL TECH 2013 Series It’s a regulated world out there, especially.
The Legal Framework Can you work out which slide each bullet point should go on?!

The Legal Framework Can you work out which slide each bullet point should go on?!

Similar presentations

Ads by Google