Publishing exploit code ruled illegal in France?

Publishing exploit code ruled illegal in France?

Summary: Publishing exploit code becomes illegal in France.

TOPICS: Security
Researchers that reverse engineer software to discover programming flaws can no longer legally publish their findings in France after a court fined a security expert on Tuesday.

In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002.

However, Tena's actions were not viewed kindly by Tegam, who initiated legal action against the researcher. That action resulted in a case being brought to trial at a Court in Paris, France. The prosecution claimed that Tena violated article 335.2 of the code of intellectual property and was asking for a four month jail term and a 6,000 euro fine.

On Tuesday, the French court ruled that Tena should not be imprisoned but gave him a suspended fine of 5,000 euros. This means he only has to pay the fine if he publishes more information on security vulnerabilities in software.

Chaouki Bekrar, a security consultant and co-founder of French Web site K-Otik, which is known for regularly publishing exploit codes, told ZDNet Australia  that although it is good news that Tena did not have to go to jail, the ruling is very bad news for the security research industry in France.

"This seems to be a good news but that is not the case. Publishing a security vulnerability or a proof of concept using reverse engineering or disassembly is now illegal in France -- how can a researcher publish a vulnerability if he can't study the software's structure?" said Bekrar.

On his Web site, Tena argued that if independent researchers were not allowed to freely publish their findings about security software then users would only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said.

Tegam is also proceeding with a civil case against Tena and asking for 900,000 euros in damages.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This opens up a very dangerous precedent. When finding vulnerabilities becomes illegal, hackers will still research them and abuse them. The good guys won't. Everyone will be a lot more exposed.

    Also, won't this outlaw every it security company that actually does vulnerability research? I guess it's back to the days of security through obscurity. I for one don't trust any company's claims of security in their applications.

    As a side note, i believe this decision will be suspended and reappreciated by a higher instance court. I mean it's like arresting someone for showing how a high-security lock that company A sells is insecure and make it an illegal action to test high security locks for problems which may render them insecure.
  • As a 60 year old I am not a computer expert, but I can see the inherent danger in this ruling. Consumers like myself need information like this so that balanced decision's can be made on the software that is best for our needs. This decision means we can be sold garbage software for big dollar's or Euro's, and the manufacturer is protected. As it is they always have it in their small print they will not be liable for damages if the software does not perform as expected. This will sanction their thievery.
  • Weird - we're nowhere near April 1st either.....
  • Very, very bad....
    So lets look at the issue of SATAN....
    You tell a code vendor you have a problem,
    they do nothing, you tell them again...
    they do nothing, so you tell the world that
    xyz has a problem with there software...
    Now you find your self in jail??????
    I smell a BIG BAD RAT here!!!!!!!!
    So where does that leave us with all of the MS-bugs??
    The spyware venders are going to have a hey day with this one......