Recently, I blogged about the ethical ramifications of hacking websites by security professionals. They probe the sites, discover vulnerabilities, notify the companies, then blog about their exploits. I haven’t decided yet whether or not I consider this an ethical practice and something security pros should be doing. On one hand, companies should be protecting their customer’s information. And if the site is public, they should have an expectation that it will be poked and prodded. On the other hand, security pros have an ethical responsibility to only test the security of sites they are authorized to test. It’s clear that they aren’t obtaining authizoration for these tests. And that may very well be illegal, to boot.
Today, I ran across this guy (I don’t know his name) who reveals some security problems in Sears’ website. It’s a problem worth discussing. He makes legitimate points on the security of gift cards. It’s something that people really should be aware of.
But does that justify his actions? I’m still on the fence about this one. It sounds like we need a framework to deal with this problem. We need to stay professional and on the right side of the law, while at the same time exposing poor security.
What do you think? I’d be interested in hearing your perspective.