"Web applications pose a dilemma for bug hunters: how to test the security without going to jail? If hackers probe traditional software such as Windows or Word, they can do so on their own PCs. That isn't true for Web applications, which run on servers operated by others. Testing the security there is likely illegal and could lead to prosecution.
"There are more legal dangers to testing an application that is hosted on somebody else's system. That is a real challenge of this new application model," said Wendy Seltzer, an assistant professor specialized in Internet law at New York's Brooklyn Law School.
As a consequence of the legal threat, well-intended "white-hat" hackers often credited with finding bugs in traditional software are hesitant to audit Web applications. This means that online applications don't face the same scrutiny as traditional software and serious security holes could be left for unscrupulous criminal hackers to find them. "