Over the past few years, there have been plenty of examples of companies with security vulnerabilities blaming the messenger
when the vulnerabilities are pointed out, often threatening them with time in jail
. The end result, of course, is that many security researchers are afraid to report vulnerabilities
, as they may be blamed for them. Of course, that doesn't mean that others haven't found the same vulnerabilities and started using them for malicious purposes. The latest such case is pointed out by Broadband Reports
and involves an ISP in the UK called BeThere. Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits
. Oh yeah, they also haven't bothered to fix the vulnerability -- despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can't find any evidence that anyone ever used the vulnerability, he must have discovered it by "illegal" means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he's not allowed to talk about its legal threat to him -- which isn't actually legally binding. It's not clear if the ISP doesn't understand what it's done or simply doesn't want to fix the vulnerability -- but the fact that it seems to think it's ok to leave the vulnerability there and just cut off the guy who pointed it out should make other customers of BeThere wonder about how the ISP treats their security.