By Tom Espiner
25 Nov 2008
The US-based Electronic Frontier Foundation has published a guide on how
IT professionals can avoid falling foul of the law as a result of
The Electronic Frontier Foundation (EFF) 'Grey Hat' Guide  ponders
such questions as what a security researcher should do if they
unintentionally "violate the law" in the course of their investigations.
"A computer-security researcher who has inadvertently violated the law
during the course of her investigation faces a dilemma when thinking
about whether to notify a company about a problem she discovered in one
of the company's products," the guide states. "By reporting the security
flaw, the researcher reveals that she may have committed unlawful
activity, which might invite a lawsuit or criminal investigation. On the
other hand, withholding information means a potentially serious security
flaw may go unremedied."
The EFF said that researchers in this situation could reconstruct
research using technology they are authorised to use, or report the flaw
in general terms. However, both of these options are "undesirable", the
Help InfoSecNews.org with a donation!