

Ask HN: Did you test for the heartbleed vulnerability without permission? - comice

Checking services for vulnerabilities without permission is quite likely illegal in many countries (UK in particular). Did you knowingly break the law yesterday testing for it?<p>Do you think it should be legal to do vulnerability checks like this?
======
comice
Instead of just testing one supplier, I tried to ask them about their own
assessment. It was a very frustrating experience and took 30mins of faffing
around and the only answer I got was they hadn't heard about it and were going
to look into it (they were a large company btw, other departments of which had
issued statements).

Compared to just checking it with a script that takes several seconds to run,
this was pretty ridiculous.

------
mcherm
Yes, yes I did knowingly break the law in doing that test.

I rely on the good grace of my employers and my banks not to press charges for
this. Of course I commit many other felonies regularly also.[1]

Yes, I think it should be legal to do this sort of vulnerability test, but I
doubt that the legislature (or even myself, if I were made dictator) has the
ability to write a law that criminalizes "bad" exploit abuse while allowing
"good" exploit abuse.

[1] -
[http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.asp...](http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.aspx)

