Legality of Full Disclosure?

Purely hypothetical situation:
A researcher finds a critical security hole in a major company, instead of informing the company, the researcher decides to release the vulnerability to the world in full detail. The researcher does not exploit the vulnerability in anyway but someone who reads the disclosure might.
Has the researcher committed a crime? Can the company successfully sue?
I’m wondering about in the United States but if you have insight on another country, please enlighten us.

I am NOT recommending this, just wondering what might happen.

1 Like

I’m not well versed in this particular side of things, so I’d be super interested in what @jhaddix or @kymberlee would have to say on this subject.

I’d suggest people go the “Responsible Full Disclosure” route, where you contact the vendor and give them time to fix it, then notify the public after some period of time.

For example, I really appreciated how @TheColonial went about disclosing a bug earlier this year. You can read about it here:

1 Like

This really depends on the law under which you and the vendor will be. In some countries this can be illegal and you could be charged with accessory to commit cyber crime. In other countries, it is perfectly fine.

In any case, a general rule, which is true in most countries, is that after a decent amount of time (30/60/90 days) you cannot be held liable. But this requires you to let the vendor know.