Hacker Thrown in Jail for Reporting Police Security Flaws

May 27, 2016
Kevin Lam

Here’s what went down: a student discovered some vulnerabilities in the Tetra (Slovenian) police communication systems and reported them to the police. After waiting a year and with no remediation to the flaws, this student went ahead and publicly disclosed the information. As a result, he got a one year and three month sentence in prison. You can find the article at http://www.zdnet.com/article/hacker-thrown-in-jail-for-reporting-police-system-security-flaws.

I am not happy that the hacker got a prison sentence, but I am glad that this issue is getting more light. Public disclosure to try to force the hand of some vendor or organization to try to fix something you discovered is just … well, irresponsible. By publicly disclosing vulnerabilities, you’re actually creating more risk. Further, you put vendors/organizations depending on the risk into a panic mode where they have to drop everything and try to control the fire you’ve just started. They might release a buggy patch or get crucified in the news. Bottom line is no one likes to lose business or get their reputation damaged, so if they weren’t responsive earlier, they sure won’t be after you publicly disclose their vulnerabilities.

I’ve done plenty of security research and I’ve worked with companies that were receptive to my work, and those that weren’t. Here’s my advice: stick to working with companies like Microsoft, Twitter, Dropbox and Facebook who welcome security researchers with open arms. Work with them and stick to their disclosure policies (and not yours). For companies that blow you off, wish them luck and keep your work to yourself. Often time these companies (who may not have had any experience with security) panic and think they are being attacked by you when they aren’t. In the worst case they lawyer up and another organization (who probably also has no clue) goes after you legally. It’s not worth the back and forth, and definitely not worth going to jail for.

Kudos to the security researchers out there! Feel free to drop a note if you’re one of them and say hello.