Researcher claims reporting software holes is dangerous

A RESEARCHER for the Center for Education and Research in Information and Assurance (CERIAS) at Purdue University says that it is far too risky to warn software companies about holes.

Pascal Meunier, the author of the Cassandra system, said the police deal with those reporting the holes as hackers.

He was involved in disclosing a vulnerability found by a student to a production web site using custom software.

He said that the police quizzed him about how he found the vulnerability. He suggested the cops suspect that if you find one Achilles' Heel, you might have found more and not reported them.

Meunier said that bad things could have happened to him because he believed that students who stumble across a problem to report vulnerabilities anonymously through an approved person. Network administrators and the long arm of the law don't tend to like that sort of thing.

Writing on his bog, here, he said that as a "stubborn idealist" he clashed with a detective by refusing to identify the student who had originally found the problem.

He was threatened with court orders and a large number of felony counts and had no support from his University. Meunier said his job was only saved by the student coming forward and talking to the police.

Now he tells his students not to report any vulnerabilities on web sites as it is not worth the risk. µ