Rain Forest Puppy has written an article on vuln disclosure discussing ethics.
"simply put: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY
VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS
ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. That statement is so
important, I will repeat it: NO MATTER YOUR INTENTIONS, LOOKING FOR
SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission)
IS ILLEGAL PER THE LAWS OF YOUR COUNTRY."
I'd have to agree with him and this is something that people aren't taking into consideration when screaming about XSS bugs
in major sites.
"The law is the law, and changing that is a long, drawn-out process.
While many may not agree with the law, it still is what it is for the
time being. And if the laws in your country address cybercriminal
activity, than it is likely that looking for security vulnerabilities
in a third-party hosted web site is not differentiated in any way from
exploiting the third-party hosted web site for malicious purposes. Thus
disclosure policies and ideologies that look to describe how to
disclose problems found in third-party web sites are a bit of a
misnomer, because researchers should generally be discouraged from
looking due to the research activity likely to be considered criminal!"
RFP Link: http://blogs.technet.com/bluehat/archive/2007/09/28/the-new-security-disclosure-landscape.aspx
