Publishing exploit code ruled illegal in France?

Researchers that reverse engineer software to discover programming flaws can no longer legally publish their findings in France after a court fined a security expert on Tuesday.

In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002.

However, Tena's actions were not viewed kindly by Tegam, who initiated legal action against the researcher. That action resulted in a case being brought to trial at a Court in Paris, France. The prosecution claimed that Tena violated article 335.2 of the code of intellectual property and was asking for a four month jail term and a 6,000 euro fine.

On Tuesday, the French court ruled that Tena should not be imprisoned but gave him a suspended fine of 5,000 euros. This means he only has to pay the fine if he publishes more information on security vulnerabilities in software.

Chaouki Bekrar, a security consultant and co-founder of French Web site K-Otik, which is known for regularly publishing exploit codes, told ZDNet Australia  that although it is good news that Tena did not have to go to jail, the ruling is very bad news for the security research industry in France.

"This seems to be a good news but that is not the case. Publishing a security vulnerability or a proof of concept using reverse engineering or disassembly is now illegal in France -- how can a researcher publish a vulnerability if he can't study the software's structure?" said Bekrar.

On his Web site, Tena argued that if independent researchers were not allowed to freely publish their findings about security software then users would only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said.

Tegam is also proceeding with a civil case against Tena and asking for 900,000 euros in damages.

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Add your opinion

Add your opinion

* indicates information we require to process your submission

Subject: *
Comments: *
Full name: *
E-mail address: *

Your e-mail will not be displayed

Posting options: *

Display all details Do not display details

Security Code: *

You must read and type the 6 chars within 0..9 and A..F

 

1. This opens up a very dangerous precedent. When finding vulnerabilities becomes illegal, hackers will still research them and abuse them. The good guys won't. Everyone will be a lot more exposed. Also, won't this outlaw every it security company Anonymous -- 10/03/05

   This opens up a very dangerous precedent. When finding vulnerabilities becomes illegal, hackers will still research them and abuse them. The good guys won't. Everyone will be a lot more exposed.
   
   Also, won't this outlaw every it security company that actually does vulnerability research? I guess it's back to the days of security through obscurity. I for one don't trust any company's claims of security in their applications.
   
   As a side note, i believe this decision will be suspended and reappreciated by a higher instance court. I mean it's like arresting someone for showing how a high-security lock that company A sells is insecure and make it an illegal action to test high security locks for problems which may render them insecure.

   • Reply to comment
   • Reply to story
   • Report offensive content

2. As a 60 year old I am not a computer expert, but I can see the inherent danger in this ruling. Consumers like myself need information like this so that balanced decision's can be made on the software that is best for our needs. This decision means we can Anonymous -- 12/03/05

   As a 60 year old I am not a computer expert, but I can see the inherent danger in this ruling. Consumers like myself need information like this so that balanced decision's can be made on the software that is best for our needs. This decision means we can be sold garbage software for big dollar's or Euro's, and the manufacturer is protected. As it is they always have it in their small print they will not be liable for damages if the software does not perform as expected. This will sanction their thievery.

   • Reply to comment
   • Reply to story
   • Report offensive content

3. Weird - we're nowhere near April 1st either..... Anonymous -- 15/03/05

   Weird - we're nowhere near April 1st either.....

   • Reply to comment
   • Reply to story
   • Report offensive content

4. Very, very bad.... So lets look at the issue of SATAN.... You tell a code vendor you have a problem, they do nothing, you tell them again... they do nothing, so you tell the world that xyz has a problem with there software... Anonymous -- 05/05/05

   Very, very bad....
   So lets look at the issue of SATAN....
   You tell a code vendor you have a problem,
   they do nothing, you tell them again...
   they do nothing, so you tell the world that
   xyz has a problem with there software...
   Now you find your self in jail??????
   I smell a BIG BAD RAT here!!!!!!!!
   So where does that leave us with all of the MS-bugs??
   The spyware venders are going to have a hey day with this one......
   Phil

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Like 124,000 other people join the community and get the latest news from the IT industry.