„Well, What Would You Say if I Said That You Could?” – Scanning for Vulnerabilities Without Getting Into Trouble

Florian Hantke and Sebastian Roth

The need for comprehensive measurements of security and privacy risks on the Web is undeniable as it helps developers in focusing on emerging trends in security. However, large-scale scans for server-side vulnerabilities remains a sensitive topic, due to their potential to harm servers, disrupt services, and incur financial losses. Even smaller, singular tests can be controversial, as demonstrated by incidents like the CSU scandal around Lilith Wittmann in 2021 or the Modern Solution case in 2023. The gray area surrounding the legality, ethics, and industry perspectives on server-side scanning has led to hesitancy among researchers and ethical hackers, creating a critical gap in our understanding of how to conduct such scans responsibly.

In this talk, we investigate and interactively discuss the murky boundaries of vulnerability scanning by exploring five typical scanning scenarios that researchers face on the Web. Drawing from We give insights into 23 in-depth interviews we conducted with legal experts, research ethics committee members, and website/server operators to identify what types of scanning practices are acceptable and where the red lines are drawn. We further substantiate these insights with findings from an online survey conducted with 119 server operators.

Attendees will gain great insights into the current state of Web scanning, including the lack of judicial clarity and the ethical dilemmas researchers and ethical hackers face. This interactive session also offers a platform for audience members to challenge their own understanding of ethics, share opinions, and contribute to shaping the future of responsible Web security scans.

In this talk, the audience will:

Get an in-depth understanding of the legal and ethical challenges associated with large-scale server-side scanning research.
Learn current best practices for conducting responsible Web security scans (at scale).
See firsthand insights from legal experts, ethics committees, and operators on acceptable security research practices.
Get an opportunity to engage in an interactive discussion to voice opinions and help influence future research

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/