The principle of full-disclosure is to publish all the details of a discovered security problem (a software vulnerability). By doing this, the security researchers try to fight against the other principle of “Security by Obscurity”. Once a vulnerability has been found, the “normal” way of working should be to contact the developers of the affected product and give them the details to help them to fix the issue. This is called “Responsible Disclosure”. Helas, we aren’t living in a perfect world and, often, it takes time to close the hole. In worst cases, it will never been closed!
In the Full-Disclosure scenario, the security researcher contacts the software editor and, immediately after, publishes his work for the community without waiting for an editor’s feedback. In this scenario, all information is published: the vulnerability but also how to detect and exploit it. It can be immediately re-used by “black hats” for bad purposes. That’s why the Full-Disclosure was always source of debates and is seen as a bad practice by some editors. On the other side, it forces them to do their job… so simply! How many vulnerabilities would never have been settled without the Full-Disclosure?
Are things changing in France? A tribunal in Montpellier decided that Full-Disclosure is illegal according to the following article (323-3-1 from the criminal code) : Â«Represses the provision of equipment, instrument or computer program designed or adapted to commit violations of the automated processing of dataÂ» (translation from French by Google Translate)
Note that this law was voted and published in 2004! There was already a discussion about it on the Bugtraq mailing list. But it seems it was never applied to Full-Disclosure cases. This is really a big issue for the security researchers in France. Will the Full-Disclosure move to the underground or the dark side of the force? Hopefully, only French researchers are affected (for now). Long live to Full-Disclosure!
Source: dazibaoueb.fr (French article)