Quantifying the Pressure of Legal Risks on Third-Party Vulnerability Research

Alexander Gamero-Garrido, Stefan Savage, Kirill Levchenko, and Alex C. Snoeren. 2017. Quantifying the Pressure of Legal Risks on Third-party Vulnerability Research. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 1501-1513.

13 Pages Posted: 1 Sep 2017 Last revised: 29 Nov 2017

See all articles by Alexander Gamero-Garrido

Alexander Gamero-Garrido

University of California, San Diego (UCSD)

Stefan Savage

University of California, San Diego (UCSD)

Kirill Levchenko

University of California, San Diego (UCSD)

Alex Snoeren

University of California, San Diego (UCSD)

Date Written: August 30, 2017

Abstract

Product vendors and vulnerability researchers work with the same underlying artifacts, but can be motivated by goals that are distinct and, at times, disjoint. This potential for conflict, coupled with the legal instruments available to product vendors (e.g., EULAs, DMCA, CFAA, etc.) drive a broad concern that there are "chilling effects" that dissuade vulnerability researchers from vigorously evaluating product security. Indeed, there are well-known examples of legal action taken against individual researchers. However, these are inherently anecdotal in nature and skeptics of the chilling-effects hypothesis argue that there is no systematic evidence to justify such concerns. This paper is motivated by precisely this tussle. We present some of the first work to address this issue on a quantitative and empirical footing, illuminating the sentiments of both product vendors and vulnerability researchers. First, we canvas a range of product companies for explicit permission to conduct security assessments and thus characterize the degree to which the broad software vendor community is supportive of vulnerability research activities and how this varies based on the nature of the researcher. Second, we conduct an online sentiment survey of vulnerability researchers to understand the extent to which they have abstract concerns or concrete experience with legal threats and the extent to which this mindset shapes their choices.

Keywords: Vulnerability; Public Policy; Copyright

Suggested Citation

Gamero-Garrido, Alexander and Savage, Stefan and Levchenko, Kirill and Snoeren, Alex, Quantifying the Pressure of Legal Risks on Third-Party Vulnerability Research (August 30, 2017). Alexander Gamero-Garrido, Stefan Savage, Kirill Levchenko, and Alex C. Snoeren. 2017. Quantifying the Pressure of Legal Risks on Third-party Vulnerability Research. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 1501-1513. , Available at SSRN: https://ssrn.com/abstract=3029140

Alexander Gamero-Garrido (Contact Author)

University of California, San Diego (UCSD) ( email )

9500 Gilman Dr
Mail Stop 0505
La Jolla, CA 92093-0505
United States

HOME PAGE: http://cseweb.ucsd.edu/~agamerog

Stefan Savage

University of California, San Diego (UCSD) ( email )

9500 Gilman Drive
Mail Code 0502
La Jolla, CA 92093-0112
United States

Kirill Levchenko

University of California, San Diego (UCSD) ( email )

9500 Gilman Drive
Mail Code 0502
La Jolla, CA 92093-0112
United States

Alex Snoeren

University of California, San Diego (UCSD) ( email )

9500 Gilman Drive
Mail Code 0502
La Jolla, CA 92093-0112
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
231
Abstract Views
1,926
Rank
263,015
PlumX Metrics