|
|
- 2017
安全漏洞发现的合法性边界:授权模式下的行为要素框架
|
Abstract:
不规范或非法的安全漏洞发现行为对网络安全实践发展造成冲击,凸显法律规定的灰色地带。安全漏洞具备非传统缺陷和资源的双重属性,传统缺陷理论和刑法单一惩治不能体现和承载双重属性所展现的复杂性。目前,限于法律规定的模糊性,安全漏洞发现行为本身存在可能产生“侵入”的刑事法律责任、“白帽子”的法律地位不明确、缺少对授权边界及构成要件的详细指引、众测平台的合规性有待强化等法律风险。为此,应围绕安全漏洞的法律属性,界定安全漏洞合法性发现的边界,明确漏洞挖掘的授权、限制与例外情形。
Security incidents caused by illegal vulnerability exploit impact of the development of cybersecurity practice, and highlight the gray areas prescribed by law. Security vulnerability has the dual attributes of untraditional defects and resources, traditional defects theories and the single punishments of criminal law can not solve the complex problems presented by the dual attributes. Due to the vagueness of law, this paper suggests we should define the boundary of the discovery of security vulnerabilities on the basis of the legal nature of security vulnerabilities, and define the authorization, limitations and exceptions of vulnerability discovery to avoid or mitigate cybersecurity legal risks, such as the criminal liability of invading, the unclear legal status of "white hat", lack of detailed guidelines on the discovery boundaries or composition, and of the requirements of the crowd-testing to be strengthened and so on
| [1] | [1]European Union Agency For Network And Information Security.Good Practice Guide on Vulnerability Disclosure From challenges to recommendations[R].European Union Agency For Network And Information Security,2015:7. |
| [2] | [2]张?q.网络安全漏洞法律问题研究[J].信息安全与通信保密,2015(4):21-24. |
| [3] | [6]ARBANGH W A,FITHEN W L,MCHUGH J.Windows of vunlerability :A case study analysis[J]. IEEE Computer,2000,33(12):52-59. |
| [4] | [7]吴世忠,刘晖,郭涛,等.信息安全漏洞分析基础[M].北京:科学出版社,2013:97. |
| [5] | [8]WARNER R,ROBERT H S.Vulnerable Software:Product-risk Norms and the Problem of Unauthorized Access[J].University of Illinois Journal of Law,Technology&Policy.2012,12:1-54. |
| [6] | [9]ORIOLA T A.Bugs for Sale:Legal and Ethical Proprieties of the Market in Software Vulnerabilities [J].Journal of Computer & Information Law,2011,28:451-522. |
| [7] | [10]李承,周潞.论科技风险责任的承担――以软件漏洞风险为例[J].科技进步与对策,2014(3):103-106. |
| [8] | [11]董春华.中美产品缺陷法律制度比较研究[M].北京:法律出版社,2010:8-9. |
| [9] | [12]西蒙?忠特克.欧洲产品责任与智力产品[J]. 环球法律评论,1991(2):63-68. |
| [10] | [13]FINKLEA K. Encryption and Evolving Technology:Implications for U.S. Law Enforcement Investigations [R].Congressional Research Service Reports, 2015. |
| [11] | [14]B?ZHME R.A Comparison of Market Approaches to Software Vulnerability Disclosure[C]. Germany:Emerging Trends in Information & Communication Security, International Conference, 2006, 3995:298-311. |
| [12] | [15]白帽子安全漏洞挖掘的法律风险分析[R].西安交通大学信息安全法律研究中心,奇虎360公司,2016:1-71. |
| [13] | [16]于志刚.恶意公布、售卖计算机安全漏洞行为入罪化的思考[J].现代法学,2010(2):79-93. |
| [14] | [20]马民虎,李江鸿.我国信息安全法的法理念探析[J].西安交通大学学报(社会科学版),2007(3):74-80. |
| [15] | [5]孙淑华,马恒太,张楠,等.后门植入、隐藏与检测技术研究[J].计算机应用研究,2004(7):78-81. |
| [16] | [3]博登海默.法理学-法哲学及其方法[M].邓正来,姬敬武,译.北京:华夏出版社,1987:465. |
| [17] | [4]张文显.法哲学范畴研究[M].北京:中国政法大学出版社,2001:69. |
| [18] | [17]BELLOVIN S M,BLAZE M,CLARK S,et al.Lawful Hacking:Using Existing Vulnerabilities for Wiretapping on the Internet[J]. Ssrn Electronic Journal,2013:1-32. |
| [19] | [18]黄道丽.从《网络安全法(草案二次审议稿)》看安全漏洞的法律规制[J].中国信息安全,2016(7):57. |
| [20] | [19]于志刚,于冲.网络犯罪的裁判经验与学理辨析[M].北京:中国法制出版社,2013:52. |
