if we as a company have a DNS record we did not update and we're now
pointing to an IP address we don't own, if an attacker used our DNS
record to access the web application and then used the Remote Code
Execution vulnerability are we in any way legally responsible for
this? Bearing in mind that the server is regardless accessible to the
world and does not require authentication to access it. However, by
having a DNS record pointing to that IP - we are inherently giving it
more visibility because anybody who previously visited our domains
when we owned that address might now visit and be greeted with the new
page.
I would be stunned if there was liability simply for pointing to a third-party IP address that used to be yours but is not longer yours, that happens to have a flaw in its security at it.
The act of setting up the software to point at the third-party IP address when it belonged to you was not itself negligent.
I also do not believe that there is a recognized legal duty to update bad links to web addresses, either in general, or as you become aware of them, which 99% of the time are merely harmless irritants that arise from the dynamic nature of the web. Indeed, there is a whole cottage industry that exists more or less entirely to exploit dead links for marketing purposes, so not updating IP addresses is not ordinarily see as a necessarily or foreseeably harmful thing to third-party successor owners of the address as a general rule. And, the new owner of the IP address is usually the "lowest cost risk avoider" and that is who the common law tends to impose responsibilities upon.
The harder questions are:
1. Is there a duty to warn a third-party system operator of a flaw that is discovered?
As a general rule, I don't think that this duty is legally recognized in the absence of a contractual relationship between you and their firm, in which case the duty of good faith and fair dealing between parties who have contractual relationships with each other may apply to create such a duty.
2. Is there a duty not to tell someone who you suspect will exploit the flaw?
If you were to post knowledge of the flaw on a known hacker's website used by people likely to exploit the flaw, this might be construed as a knowing and intentional attempt to conspire with another to hack the third-party's system and that might very well result in an imposition of liability upon you for the harm done. Communications that recklessly and intentionally are calculated to harm another are not necessarily protected by free speech considerations.
3. Is there a duty not to tell the public of the flaw?
On one hand, this information is still accessible to known hackers, but it also addresses a matter of public concern for which free speech considerations should receive more weight, and this might be particularly problematic if you hadn't warned the third-party a reasonable time in advance of the flaw and your intent to disclose it publicly.
I am not comfortable that I know how this fact pattern would come out.
But, merely driving an incidental amount of traffic to a website that a person knowledgable in IT security would be able to determine has a security flaw, alone, probably doesn't give rise to liability.
Admittedly, there isn't a huge amount of case law on this subject and the statutes aren't terribly clear in gray areas. So, I am basically doing a general tort and contract law principles analysis without reference to the specific cases or authorities that give rise to this liability. But, realistically, if someone did sue over something like this, they would probably be relying mostly on general statements in authoritative summaries of general modern contract and tort law principles, and very general statutory language, and trying to shoehorn those general principles into this fact pattern, rather than relying on well established case law (unless they got very lucky and came upon a favorable case on point that was controlling law).
