This has always been a difficult topic for security researchers; if they find a vulnerability on someone’s website (no matter if it was accidental or intentional), do they report it? And if they do report it, will they be praised or prosecuted? While a lot of people are discovering vulnerabilities to help others, it can make it very difficult to trust anyone who brings a vulnerability to your attention. Especially with the anonymity of the Internet behind them, how can you tell if the person is legitimate? Because of factors like these, this is a very delicate topic, which I personally don’t think will have a remedy any time soon.

What if a Web researcher found a bug on your Website today — but was too afraid of the law to tell you?

The Computer Security Institute (CSI) recently formed a working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents to explore the effects of laws that might hinder Web 2.0 vulnerability research. And the CSI group’s first report — which it will present on Monday at CSI’s NetSec conference in Scottsdale, Ariz. — has some chilling findings.

In the report, some Web researchers say that even if they find a bug accidentally on a site, they are hesitant to disclose it to the Website’s owner for fear of prosecution. “This opinion grew stronger the more they learned during dialogue with working group members from the Department of Justice,” the report says.

That revelation is unnerving to Jeremiah Grossman, CTO and founder of WhiteHat Security and a member of the working group. “That means only people that are on the side of the consumer are being silenced for fear of prosecution,” and not the bad guys.[more]

Tags: Hackers, Good on the Net, Computer Protection