How to Security Research Without Getting Sucked into a Courtroom

No ratings

Presented at LayerOne 2018 by

Robert Adams

The idea for this talk came from several clients asking the same basic legal questions about security research and what they can and shouldn’t do to avoid criminal liability. I thought this would be a good forum to try to answer these questions, especially for private and independent researchers who do not have the backing of a large firm behind them. We’re going to try to answer a couple of generic legal questions that affects anyone who performs security research. Where’s the line in the sand regarding what a security researcher can do and shouldn’t do to avoid criminal liability, and what happens if it’s crossed? What happens when a security researcher wants to disclose a vulnerability to the manufacturer? Can that manufacturer sue the researcher to stop them from publishing their research or giving talks, and can the manufacturer sue for compensatory damages (i.e. money)?