Too many defects can’t be uncovered, but must be used before anybody will think “maybe we should fix that.” So no, tedu made a good point. Just because the bank doesn’t lose doesn’t mean you didn’t wander into the vault then take things out as proof.
I strongly disagree. As a customer of a product or a service I would want to know about the possible exploits against that service. Whether the exploits are made public or not, they’re still there and your data is still vulnerable.
Agreed but proving a computer security vulnerability often involves getting either pre-placed data or a random person’s data, at least from the people I’ve read. It’s not quite holding up a bank at gunpoint, but it’s definitely going through the hole in the drywall.
Should it be legal to rob a bank and turn yourself in?
More like should it be legal to show customers of the bank that it has a hole in the wall covered up with some wallpaper.
Too many defects can’t be uncovered, but must be used before anybody will think “maybe we should fix that.” So no, tedu made a good point. Just because the bank doesn’t lose doesn’t mean you didn’t wander into the vault then take things out as proof.
I strongly disagree. As a customer of a product or a service I would want to know about the possible exploits against that service. Whether the exploits are made public or not, they’re still there and your data is still vulnerable.
Agreed but proving a computer security vulnerability often involves getting either pre-placed data or a random person’s data, at least from the people I’ve read. It’s not quite holding up a bank at gunpoint, but it’s definitely going through the hole in the drywall.
Basically, should it be legal to do a physical security pen test without a contract.