Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Out of curiosity - why should I be required to ask for permission from given company to probe company owned infrastructure?

What I mean here is that if there's a bug / vulnerability on given company infrastructure, then that company should fix it and not put on a blame on a user that was affected by it (even if device that communicates with given infrastructure always follows happy path)



I try to get back to a real world analogy, think of a bank:

Can you try opening the public door off hours and discover it is locked? Yes, of course.

If the the public door is unlocked, can you now go inside the bank and start trying different combinations to open the safe? No, you will be arrested.

Anytime you move from probing a website with a browser to using other tools, your actions are subject to interpretation


You need permission because

1) the probing almost always involves breaking the terms of the contract you made with that company.

2) it creates a paper trail of intent

3) it's not your property so why wouldn't you need permission to access it?

I am not sure how permission effects a companies ability or obligation to fix security bugs. I agree they should fix it.

We can make the law that not only does the company approve of the request but they have to disclose to you additional information that can help you find bugs. Idk, point is I'm advocating for creating a system where researchers work with the company rather than as vigilantes




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: