Bugs for Sale: Legal and Ethical Proprieties of the Market in Software Vulnerabilities, 28 J. Marshall J. ComputerandInfo. L. 451 (2011)

摘要

The pertinent questions therefore are: first, could software vulnerabilities be obviated simply by ameliorating factors responsible for market failure as canvassed by the literature on the economics of software security, drawing on the strength of the theory of information asymmetry, or are vulnerabilities inevitable irrespective of market dynamics and solutions? Second, to what extent is vulnerabilities research or the surreptitious exploitation of software vulnerabilities by hackers tantamount to trespass, and what are the legal implications, if any? Third, to what extent is the peddling of software vulnerabilities valid or enforceable in law? Fourth, what are the implications of software vulnerabilities research for intellectual property rights? Fifth, what is the moral propriety of the market in software vulnerabilities, or should the beneficial effects of vulnerabilities disclosures trump or exculpate the palpable wrongfulness or ethical concerns underpinning the hacking of information systems? Sixth, if software vulnerabilities were inevitable, how best to manage them to ensure the integrity of digital infrastructures? The paper is divided into seven parts. Part one is the introduction; part two examines the proprieties of information asymmetry and other economic theories inexorably linking software vulnerabilities to market failure; part three discusses vulnerabilities detection research and reviews the boundaries separating professional and malicious hacking; part four discusses the modality and effects of vulnerabilities disclosure; part five analyzes sundry legal issues probing the legality of vulnerabilities research and disclosure, which range from cyber trespass, cyber-crime, intellectual property rights to the recurring question on whether a liability regime could rein in insecure software? Part six discusses the ethical proprieties of vulnerabilities research and market, whilst part seven concludes the discourse by proffering best practices for software vulnerabilities governance.