Ask HN: Legal situation of disclosing anti-virus bugs

2 points by landave ↗ HN
During the last year, I discovered numerous bugs in different commercial anti-virus products. All of those bugs have been reported to the vendor, and have been fixed by now.

I always wanted to share at least the interesting parts of my results publicly. Now, I have finally found the time to so [1].

However, I see two main issues concerning my plan.

First, it is very difficult to ensure that a bug I found does not exist in other software systems. This is particularly delicate with anti-virus software, because those products are linked statically to a large number of widespread libraries. For example, a bug in the decompression code of some archive format may easily affect a myriad of other systems.

Second, in order to explain the cause of a bug properly, I plan to disclose some of the software's internals (mostly disassembly). It is unclear whether this is already enough to infringe a copyright law (such as the DMCA).

It is not clear at all to me what the legal situation looks like. I'm not affiliated with any large company, and I obviously cannot afford being sued personally.

The exact legal situation might be unclear, but any kind of experience or story would help estimating the risk I am taking. Because in the end, it comes down to this. Is the likelihood of being sued low enough?

[1] https://landave.io/2017/06/announcing-a-new-blog-series-on-anti-virus-software/

0 comments

[ 3.0 ms ] story [ 12.4 ms ] thread

No comments yet.