Researcher claims police threats for reporting software holes

Reporting software holes is too risky, he says

A researcher for the Center for Education and Research in Information and Assurance (CERIAS) at Purdue University claims it is too risky to warn software companies about holes in their products.

Pascal Meunier, the author of the Cassandra system, said the police deal with those reporting the holes as hackers.

He helped disclose a vulnerability found by a student to a production website using custom software, but ended up being quizzed by the police over how he discovered the weakness.

The police, Meunier said, suspected that as he'd found one Achilles' Heel, he may have found more but not reported them.

Writing on his blog, he said that as a 'stubborn idealist' he clashed with a detective by refusing to identify the student who had originally found the problem.

He claims the police then threatened him with court orders and charging him with felony counts, and that his university stood by and offered no support. Meunier said his job was only saved by the student coming forward and talking to the police.

Now he tells his students not to report any vulnerabilities on websites as it is not worth the risk.

This article first appeared on sister site the Inquirer.