Security Researchers usually disclose vulnerabilities openly on the internet like full disclosure. But most often the researchers dont realise it is illegal and can be punished by law under IT act and other IPC section and it can have fatal consequences.
When a researcher detects a vulnerability, he often reports to the company but most often the companies dont reply to his message. If the company is not interested to take action, the researcher feels this is in greater interest of national security/public security.
He can send this vulnerability report again to the company and send a copy to CERT-In(central emergency response team). Most often CERT-In responds back to the hacker/researcher and they also contact the company and advise them to fix it. There is no proper format for reporting, it would be nice if government can come up with a frame work which can allow a proper disclosure of vulnerability policy.
If the company does not fix, the researcher can wait for a months time before he can disclose it fully to the community through media(online and offline) also offer proofs that he has communicated enough to the company and to CERT-In before he has released it.
However, does this protect the researcher from prosecution? If the victim company decides to go in legally, the researcher can be prosecuted for publishing this vulnerability.
Some of incidents have seen where hackers work for some company and because of various problems they had with company, they get involved in revenge hacking. If any crime has pre-mediation or pre-planning the crime is considered serious according to any Law. Such actions are totally illegal.
Many companies like FB, Google offer bounty to hackers. These bugs can be reported to these companies. however if the companies dont take these vulnerabilities they can be published to CERT-In and then publically.
Law does not protect the reporter of the vulnerability. It becomes the responsbility of the hacker/researcher to prove that he did it for greater social good (which could mean lot of head ache with law). If government does not come with proper frame work, it s going to drive hackers to report vulnerabilities anonymously fearing prosecution from police(with victim /company complaining).
What happens to hackers who publish the vulnerability openly without going to CERT-In and companies. They do it ofcourse to get fame or they really didnot want to fix it. Most companies will view these hackers as some one who is not reliable due to their poor full disclosure practice and wont hire them for anything important. They lose opportunity.
It is recommended proper reporting is followed first to the company who is victim, followed by reporting to CERT-In. giving them enough time to fix. Only if the vulnerability can affect public at large and no action was taken then other option of full disclosure should be considered.
Author:J Prasanna, Founder, Cyber Security & Privacy Foundation