CMP Technology's Computer Security Institute Creates Cross-Disciplinary Group of Web Security Researchers, Computer Crime Law Experts and Agents From the U.S. Department of Justice to Discuss Web 2.0 Research Roadblocks

Group's Initial Report to Be Released at Computer Security Institute's

NetSec Conference on June 11

Jun 04, 2007, 01:00 ET from CMP Technology's Computer Security Institute

    SAN FRANCISCO, June 4 /PRNewswire-USNewswire/ -- The Computer Security
 Institute (CSI) today announced it has formed a cross-disciplinary working
 group of Web security researchers, computer crime law experts and agents
 from the U.S. Department of Justice on the legal barriers to Web 2.0
 vulnerability research and disclosure. The group will release its first
 report Monday, June 11 at CSI's NetSec conference in Scottsdale, Ariz.
     "Security researchers are able to identify and publicly disclose
 software vulnerabilities or further write proof-of-concept exploit code
 without fear of criminal prosecution," said Jeremiah Grossman, CTO of
 WhiteHat Security and a contributor to the group. "But Web security
 researchers' aren't so lucky: under some laws, a researcher could find
 himself prosecuted for simply looking for Web site vulnerability, much less
 disclosing it publicly."
     To tackle this question, this working group is not to espouse any
 particular position, but rather to identify, debate and explain all the
 legal, ethical, social and technological considerations feeding this issue.
     "This report serves as a meeting of the minds, bringing together ideas
 and concerns from the developers, security researcher and law enforcement
 communities making it a unique touch point for everyone caught in the
 frenzy of Web 2.0," added Grossman.
     Within the report will be:
     -- A matrix of Web security research methods (on a scale of least-invasive
        to most-invasive), assessments of how the law may interpret these
        actions and gauges of the likelihood a Web researcher will be
        criminally prosecuted for such actions;
     -- Discussion of how the law may be changed, including how liability is
        assigned, how "damage" is quantified and how disclosure and criminal
        intent factor into sentencing; and
     -- Suggested endeavors the industry may create to improve Web security
        within the current letter of the law, such as: better secure Web
        development standards, better Web site security certifications,
        anonymous vulnerability disclosure tip lines and a service that invites
        registered researchers to hack "dummy" Web pages, which are modeled off
        typical Web sites but contain fake data.
     A question and answer period with some members of the working group
 will follow the report presentation. Members of the working group include:
 Brian Chess, founder and CTO of Fortify Software; Jennifer Granick,
 executive director of the Center for Internet and Society, Stanford Law
 School; Jeremiah Grossman, CTO, WhiteHat Security; Billy Hoffman, lead
 researcher, SPI Labs; John Lynch, deputy chief, Computer Crime and
 Intellectual Property Section, Criminal Division, U.S. Department of
 Justice; Scott Parcel, vice president of engineering, Cenzic; Jon Rusch,
 special counsel for fraud prevention, Criminal Division, U.S. Department of
 Justice; Lee Tien, senior staff attorney, Electronic Frontier Foundation;
 and Jacob West, manager of the security research group Fortify Software.
     NetSec '07 will be held June 11-13 at The Phoenician in Scottsdale,
 Ariz. The conference covers a wide variety of topics, from live forensic
 analysis to data breach notification law. NetSec is geared both to those
 entering the field and to experienced practitioners, and addresses
 managerial and compliance, as well as technical, issues. For details and to
 register go to:
     CSI serves the needs of information security professionals through
 conferences, regional events, on-site training, Webcasts, end-user
 awareness newsletters and training tools, member publications and the
 widely quoted CSI Computer Crime and Security Survey. Visit for further information.
     About CMP Technology (
     CMP Technology is a marketing solutions company serving the technology
 industry. Through its market-leading portfolio of trusted information
 brands, CMP has earned the confidence of more technology professionals than
 any other media company. As a result, CMP is the premier provider of
 access, insight and actionable programs designed to connect sellers and
 buyers in ways that yield superior return on investment. CMP Technology is
 a subsidiary of United Business Media (,
 a global provider of news distribution and specialist information services
 with a market capitalization of more than $3 billion.
     Sara Peters
     CMP Technology's Computer Security Institute
     (office) 212-600-3066
     (cell) 609-213-9361

SOURCE CMP Technology's Computer Security Institute