November 24, 2008 | By Jennifer Granick

A "Grey Hat" Guide for Security Researchers

In counseling computer security researchers, I have found the law to be a real obstacle to solving vulnerabilities. The muddy nature of the laws that regulate computers and code, coupled with a series of abusive lawsuits, gives researchers real reason to worry that they might be sued if they publish their research or go straight to the affected vendor. By reporting the security flaw, the researcher reveals that she may have committed unlawful activity, which might invite a lawsuit or criminal investigation. On the other hand, withholding information means a potentially serious security flaw may go unremedied. I discuss this problem, and offer some ideas about what researchers can do about it, in a new document called "A 'Grey Hat' Guide". Constructive feedback is welcome, as I can use it to improve the paper.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

When there's something strange in your browser cache, what you gonna install? Privacy Badger! https://www.eff.org/privacyba...

Jul 28 @ 1:16pm

¿Tu cuenta y/o contenido han sido removidos injustamente de redes sociales? Cuéntanos tu historia https://onlinecensorship.org/es/ #LACIGF9

Jul 28 @ 10:52am

Listen: EFF Director of Grassroots Advocacy Shahid Buttar explains how we protect your rights online on @kkfi901fm http://www.kkfi.org/program-e...

Jul 28 @ 10:05am
JavaScript license information