“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. < Insert big sigh here. > This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

Source: Oracle to ‘sinner’ customers: Reverse engineering is a sin and we know best - ZDNet

This article is hard to believe.  Imagine if the people that discover these vulnerabilities sold them on the black market instead of reporting them to Oracle.  I would hope that Oracle would prefer receiving an email to widespread zero-day attacks.

Though I’m not a lawyer, this makes me wonder what constitutes reverse engineering, and also the legality of license clauses that disallow reverse engineering in this situation.  Unfortunately, Wikipedia doesn’t mention anything about reporting security vulnerabilities, which seems like something that should always be allowed.

From the Wikipedia article:

In the United States even if an artifact or process is protected by trade secrets, reverse-engineering the artifact or process is often lawful as long as it has been legitimately obtained.

Reverse engineering of computer software in the US often falls under both contract law as a breach of contract as well as any other relevant laws. This is because most EULA’s (end user license agreement) specifically prohibit it, and U.S. courts have ruled that if such terms are present, they override the copyright law which expressly permits it (see Bowers v. Baystate Technologies).

Sec. 103(f) of the DMCA (17 U.S.C. § 1201 (f)) says that a person who is in legal possession of a program, is permitted to reverse-engineer and circumvent its protection if this is necessary in order to achieve “interoperability” – a term broadly covering other devices and programs being able to interact with it, make use of it, and to use and transfer data to and from it, in useful ways. A limited exemption exists that allows the knowledge thus gained to be shared and used for interoperability purposes.

Do security vulnerabilities fall under “interoperability”?  Are there “whistle blower” laws that encourage security vulnerabilities to be reported and dealt with responsibly?  If not, should there be?