Microsoft has boldly promised not to attack hackers who responsibly find and report security flaws in the company’s online services. This is an unusual move for a big company since large entities tend to attack anyone that breaches their servers — whether the offending party had malicious intentions or hoped to help the organization.
For example, consider Eric McCarty’s story. The USC student discovered a method of accessing the the records of prospective students in the school’s online application system. Even though he reported the problem instead of using it against USC and its applicants, McCarty was found guilty of computer intrusion.
Microsoft promised not to prosecute ethical hackers at the ToorCon security conference in Seattle on Saturday, says the Register. The software giant — taking the route of common sense — plans to capitalize on the web’s army of security researchers.
It seems many big companies prefer their security holes stay hidden rather than patched up, but a lot of them also tend to make big decisions that don’t make much ethical or moral sense. Sometimes their decisions tend to lack common sense altogether.
Then again, if you discover gaping security hole at a military base, you aren’t suddenly granted the right to go inside and open confidential files. Whatever your intentions are, there’s a good chance you’re going to get arrested and prosecuted if you do it. Breaking into someone else’s property is really, really against the law, and some things — and access to them — are for certain people only.
So shouldn’t this also apply to Internet security? Traditional logic would say yes, but we can’t say yes — at least not for every situation. The Internet works with a different set of rules, which must be taken into consideration when responding to web trespassing. We applaud Microsoft for not prosecuting professionals seeking to help the company, but we can understand if an organization doesn’t want any unauthorized users peering into its servers
Though fads are common even in the business world, we can’t see this being too popular amongst many companies. Sure, some will jump on the bandwagon just to say, "look, i’m a good company" — like Microsoft is doing right now — but some things are simply for certain eyes only. Even the best, nicest, and most heroic security researchers must understand that.