The poll on the "What is this?" page is pretty stupid.
Legal Poll:
Is it illegal to walk into someone else's home uninvited if the door is wide open?
No door, no locks, no guard dog, no "no trespassers" sign at all. Is walking into someone else's house illegal?
---
This isn't precisely the same situation, but it's pretty close. Regarding the actual poll (accessing a completely open MongoDB database), the question I have for you is how did you find that database? If someone posted a link to it saying "hey here's my database, feel free to take a look" then by all means go look at it. If you go portscanning the internet and find the database, it probably wasn't intended for you to access it.
> It's important to understand where the lines are, is it illegal for a security researcher to stumble across a completely unsecured database? And then view the records in it?
Stumbling across it is fine. Once they know it's there, why does this "security researcher" need to go snooping through the actual data?
Even when attacking a system that has a real bug bounty and invites security researchers to access it, the rules generally prohibit actually poking around customer data. Once you verify that you are capable of accessing the data, that's where you stop, you don't actually look at it.
5 comments
[ 4.8 ms ] story [ 16.5 ms ] threadYou could at least made it 42
Legal Poll:
Is it illegal to walk into someone else's home uninvited if the door is wide open?
No door, no locks, no guard dog, no "no trespassers" sign at all. Is walking into someone else's house illegal?
---
This isn't precisely the same situation, but it's pretty close. Regarding the actual poll (accessing a completely open MongoDB database), the question I have for you is how did you find that database? If someone posted a link to it saying "hey here's my database, feel free to take a look" then by all means go look at it. If you go portscanning the internet and find the database, it probably wasn't intended for you to access it.
> It's important to understand where the lines are, is it illegal for a security researcher to stumble across a completely unsecured database? And then view the records in it?
Stumbling across it is fine. Once they know it's there, why does this "security researcher" need to go snooping through the actual data?
Even when attacking a system that has a real bug bounty and invites security researchers to access it, the rules generally prohibit actually poking around customer data. Once you verify that you are capable of accessing the data, that's where you stop, you don't actually look at it.
I believe that in the UK, trespassing isn't actually illegal[0] (but aggravated trespassing is).
0: https://greenandblackcross.org/guides/laws/5-trespass-aggrav...