I am interested in learning about the legality of website vulnerability scanning. From wikipedia: “A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses”. As a researcher with no ill intent, would I be breaking any obvious American (interested in other countries too) law simply by running a vulnerability scanner on a number of websites?
I will assume YANAL unless otherwise stated.
here’s a discussion …
There has to be damage, and/or intent to be " immoral" (For example, its possible that the intent to give other people the clues of the vulnerabilities is showing an intent to do damage… )
Depends on what else you do. If you sent requests for payment, you might be doing damage by threatening, which is a form of damage and shows an intent.
Considering the zmap has just been released, and is apparently capable of port-scanning the entire IPv4 internet in 45 minutes, it is going to be pretty hard to avoid…
In truth, it depends on the aggressiveness of the scan. If you are are just looking for open ports or vulnerable web scripts, probably not (equivalent to looking for open windows down the street). If you probe the ports/read the contents of scripts (rattle the door handles to see if they are locked) you are probably still ok. If you attach to the port/execute the script, and send some data to get a response (open an unlocked door, look around, walk away) you are on the edge. If you attach a port/launch a script, and send some data that locks a process/crashes a service/OS (open an unlocked door, toss in a molotov cocktail) you have crossed a line into clearly illegal activity.
In terms of specifically webserver vulnerability, even probing for exposed upper-level directories (i.e http://www.some.server/../) has been prosecuted as unauthorised access in the UK, so that draws a fairly clear line.