K
K
Kirill Petrov2015-12-23 09:26:59
Law in IT
Kirill Petrov, 2015-12-23 09:26:59

What will be the publication of a vulnerability/bug to the public?

Let's say I found a way to bypass the data transfer rate limit after the TELE2 operator has reached the traffic limit. If I release an application for android (requires root access) and start promoting it / receiving money from advertising, what are the scenarios?
I assume the following:
- Elimination of a bug / vulnerability on the part of the operator, and forgot about it
- Search for the creator of the application to punish him / initiate a criminal case
- Search for the creator of the application to encourage / hire him

Answer the question

In order to leave comments, you need to log in

5 answer(s)
E
Egor Ommonik, 2015-12-23
@Recosh

Usually done like this, a bug hunter finds a vulnerability, studies it. Then he notifies those in whose structure this vulnerability is located, waits for some time, if there is no progress to eliminate the vulnerability - publishes an article on a thematic resource, uses vulnerabilities, scores on this matter - everything is within his imagination.
However, there is responsibility for actions. If the communication contract contains clauses on abnormal actions regarding communication services, then they can do it for it. The best profit in the first place is the compilation of articles, gaining experience and fame as a specialist, and only then the benefit received from oversights.

O
Oleg Tsilyurik, 2015-12-23
@Olej

- Search for the creator of the application to punish him / initiate a criminal case

What is the criminal case? ... Buy an assassin, and he will cut his throat ... ;-)

O
OnYourLips, 2015-12-23
@OnYourLips

If the agreement prohibits the use of this, but due to some error it is technically possible, then making a significant profit from this bug or writing a program to exploit it for personal gain is already a criminal offense under Russian law.

N
nirvimel, 2015-12-23
@nirvimel

There is a way to beautifully resolve the situation. To do this, you need to compose a competent disclaimer, add it to the license from above , add it to the description on Makret (or any site where the publication takes place) from above , even if this somewhat contradicts the marketing approach, and add a pop-up window with this text in large size to the application itself font so that the window cannot be closed earlier than after N (let's say N = 5) seconds and so that the application functionality becomes available only after the user clicks on the "I accept the terms" button.
In the disclaimer itself, indicate that the user is personally fully responsible for any consequences of using this software and possible damage to a third party ... In general, google "as is, disclaimer" and translate.
The provider itself, of course, will not stop trying to put pressure on you and on the sites that host your software by any means. Be prepared that your application will crash from the Market very quickly. But if you arrange everything correctly and do not use your own software yourself;) then, according to the law, you will actually have nothing to show. Although attempts are possible on their part, but basically it is just intimidation.
If you decide to do this, then you better improve your legal literacy or find a person who is well versed in these issues.

P
pingo, 2015-12-23
@pingo

Maybe it's not a bug but a feature?
Yuzay himself, especially to monitize in public is almost unrealistically
interesting vulnerability, is it connected with udp?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question