Security: The Fine Line Between Disclosure And Violation

Sean Michael Kerner

Apple and Facebook had to decide whether hackers had disclosed useful data, or violated their terms, says Sean Michael Kerner

If someone doesn’t play by the rules and still wins, should he be rewarded? That’s a question that the information security industry is now grappling with.

Earlier this month, a security researcher defaced the Facebook wall belonging to CEO Mark Zuckerberg in an attempt to convince the social networking giant that there was a security flaw on the platform. According to Facebook, security researcher Khalil Shreateh violated Facebook’s Terms of Service by testing the flaw on a real account, for which he had not obtained user consent.

zuckerberg facebook © Kobby Dagan ShutterstockBug bounty ban

As a result of that violation, Shreateh is not eligible for payment for the discovery of the flaw under the terms of Facebook’s bug bounty program. That non-payment situation didn’t sit well with security expert Marc Maiffret, who set up a page on the gofundme crowdfunding site to pay Shreateh a reward. The goal of the funding effort was to raise $10,000, and by midafternoon on Wednesday more than $11,000 had been raised.

While it’s great to see researchers get paid for their work, I think it’s important to also remember that the ends do not always justify the means. Shreateh violated the Facebook Terms of Service, and that’s potentially a serious matter. You see, there is this law in the US called the Computer Fraud and Abuse Act (CFAA) that I recently wrote about. It has a number of provisions in it, including a key one that states: “It is illegal to intentionally access a computer without authorization or in excess of authorisation and thereby obtaining information from any protecting computer.”

I’m not a lawyer and don’t pretend to be one either. But I learned from attorney Marcia Hoffman (she spoke at Black Hat and DEFCON about security research and the law) that violating Terms of Service could potentially be an infringement of the CFAA as well. Don’t get me wrong, I’m a big supporter of security researchers and count me among the many who consider the CFAA to be flawed. All I’m saying is that it’s important to remember the context in this case and that there are various policies and laws that need to be considered. Yes, I know that Facebook allegedly ignored this researcher and, yes, I don’t think there is or was any malicious intent here from Shreateh either.

Apple’s developer intrusion

In a separate incident in July, a security researcher allegedly was responsible for an intrusion on Apple’s developer Website. At the time, security researcher Ibrahim Balic publicly took credit for the intrusion, which he labeled as research—although I have never been able to independently confirm whether or not Balic’s original claim was entirely accurate.

As it turns out, Apple has recently credited Balic with reporting an information disclosure issue. No, it’s not entirely clear if that is directly related to the Apple Developer center flaw or not, but it is “interesting” to see Apple credit Balic, isn’t it?

Security researchers always walk a fine line between responsible disclosure and a possible CFAA infringement. I strongly believe that vendors should make it as easy as possible for researchers to safely and responsibly disclose flaws and then reward the researchers appropriately.

Sean Michael Kerner is a senior editor at eWEEK and