| Web site security vulnerability mining technology,reporting,disclosure and utilization are important topics in the field of network security."White hat",as a special network subject,plays an irreplaceable role in the maintenance of network security,but its behavior is not clearly defined in the current theoretical circle.Theoretical research tends to be "Black Hat" with obvious characteristics.The existing criminal law has clear provisions on computer network crimes,and the focus of behavior research is also relatively concentrated.On the contrary,"White Hat" is widely criticized by the subject under test for digging and disclosing loopholes in order to maintain the security of the subject under test.Articles related to "White Hat" are mostly published in newspapers and periodicals in the form of reports.At present,there is little systematic and normative research on its behavior in theory.Therefore,it is necessary to systematically discuss its behavior in this paper.In view of this,this paper discusses the vulnerability mining and disclosure of "White Hat" groups,which is divided into the following four parts:The first part is an overview of "White Hat" behavior.By introducing the meanings of"White Hat" and network security vulnerabilities,this paper clarifies the differences between them and related concepts,combs the tripartite subjects and relationships that may be involved in the current process of dealing with network security vulnerabilities,and recognizes the necessity of criminal law to regulate "White Hat" behavior.On this basis,the current situation of legislative regulation and judicial application of "White Hat"behavior in China is analyzed,and through typical cases,specific problems are put forward.The second part is about the legal risks and disputes of "White Hat" behavior.The first level specifically analyses the legal risks of vulnerability mining,that is,the legal risks of "intrusion" and the legal consequences of "acquisition" of data.The second level specifically discusses the controversy caused by the disclosure of loopholes,which is mainly reflected in the questioning of the mode and safety of disclosure,the lack of legal basis for disclosure and the risk in the disclosure process of different disclosure subjects.In the third part,aiming at the legal risks and disputes raised in the second part,the author makes a concrete analysis of the behavior of "White Hat".For vulnerability mining,through the identification of "intrusion" and "acquisition of data",this paper analyseswhether it constitutes the crime of illegally acquiring computer information system data in Article 285 of the Criminal Law,and tries to find a way to resolve disputes within the scope of existing legal regulations.For vulnerability disclosure,classified according to the actual disclosure mode,aiming at the "relying" disclosure with more problems,the responsibility of different disclosure subjects under this mode,namely the third party vulnerability platform and the "White Hat" is discussed.The fourth part is the analysis of the legitimacy boundary of the "White Hat" act and the thinking of the specific regulation path.In judging the legality of "White Hat" behavior,we should further clarify the subject boundary,authorized boundary and legal regulatory boundary on the basis of existing provisions.Therefore,we should not only strengthen technical governance,improve system construction,strengthen industry self-discipline and personnel supervision,but also perfect and refine the implementation of the Network Security Law to give full play to its guiding role in network security.At the same time,we should also improve the criminal legislation under the network environment and give full play to the role of the Criminal Law. |
PDF Full Text Request