

Ask HN: Should I publish Heartbleed statistics? - tempbleed

Hello HN, I&#x27;ve modified some public exploit code to scan a list of HTTPS hosts and calculate simple statistics. None of the data that the exploit retrieves is logged.
I&#x27;ve run it on one list of hosts with OpenSSL&#x2F;1.0.1 in their Server header, and am in the process of scanning a larger, more statistically significant list of assorted HTTPS hosts. The OpenSSL hosts have a 42% vulnerability rate. :(
I made this with the intent of creating a &quot;heartbleed monitor&quot; website, but all of my friends tell me I&#x27;ll go to jail if I publish these results. Do any of you have thoughts&#x2F;advice?
Thanks,
Anonymous for now
======
palcu
You cannot go to jail because you've scanned for a vulnerability. Also, others
have compiled lists [https://github.com/musalbas/heartbleed-
masstest/blob/master/...](https://github.com/musalbas/heartbleed-
masstest/blob/master/top10000.txt).

~~~
mcintyre1994
Without knowing OP's jurisdiction this seems irresponsible. IANAL and OP, you
should probably speak to one, but pen testing without permission can
absolutely be illegal.

~~~
tempbleed
I'm in the US.

I guess it wasn't a very good idea to post this question. Its definitely
illegal; I was "accessing a computer without prior authorization" (to
paraphrase CFAA) to steal data, albeit with the best of intentions. But its
good to know that I wouldn't be the first to publish, and that gist is much
more brazen than what I was planning (which was just stats and trends.)

I'm going to think long and hard about whether I publish this. I can't really
afford to speak to a lawyer. If its that close a call, I'll air on the
cautious side.

Thank you both for the assistance, its appreciated.

------
fabulist
I've no idea, but I think having a verbose server header like that indicates
an indifference to security already....

