> This isn't a "grey area". It's illegal to test web applications run by other p... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

sneak on July 15, 2014 | parent | context | favorite | on: Announcing Project Zero

> This isn't a "grey area". It's illegal to test web applications run by other people for security vulnerabilities.

Scanning for heartbleed is a good example of why it may well be - through a normal, authorized connection, it becomes apparent if the implementation is vulnerable.

Or are you referring specifically to sending a malformed heartbeat in the context of an authorized connection?

It's certainly not black-and-white to me.

tptacek on July 15, 2014 [–]

So far as I know, Google didn't sweep the whole Internet for hosts vulnerable to Heartbleed. They found the software flaw on machines they ran.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact