Is it legal to sell security vulnerabilities you found while working with a company to that company?

Question

Suppose you were working at a company for a few years, and during your time there you found a few computer security vulnerabilities that could be used by potential attackers. If you were to compile them into a report, would it be legal to sell it to that company (in the United States)?

Edit:

In cybersecurity, there's a term called responsible disclosure. In essence, you notify the company of a vulnerability and give them plenty of time to take care of it. Typically, if the company doesn't do anything about it, the person will publicly disclose the vulnerability to get the full attention of the company (full disclosure). What are the legal implications of full disclosure?

Answer 1

No.

An employee has a duty of loyalty to the employer and profiting from this personally (without the employer's consent) would breach the employee's duty of loyalty to the employer.

The common law concepts are explored at Jet Courier v. Mulei, 771 P.2d 486 (Colo. 1989) ("an agent is subject to a duty to his principal to act solely for the benefit of the principal in all matters connected with his agency."), and while the facts are different (it involved an employee plotting to jump ship to a new company while working for an old one) the legal principles are the same.

Answer 2

Well, as always, the answer is "it depends".

It isn't illegal per se.

If both parties agree, it's good business. You get paid for the work of compiling the report. For example, let's say you leave and are no longer working for them, and they call you and say "hey, you know those security vulnerabilities you were talking about last year? Yeah, the boss finally decided to give it priority, but it seems we kept no notes in that meeting. Could you compile a report for us? I know you no longer work here, but we would pay you a little more than the normal contractor rate if you are interested". That's perfectly fine.

Now, not disclosing them when you found them could be seen as a breach of contract, which implicitely includes the duty of loyalty. Keeping it a secret to cash in on later is certainly sleazy.

The compiled report might, depending on state laws, your specific contract, and who can pay the better lawyer, end up as their's. You can only compile that report because you worked there and you got knowledge of those vulnerabilites only as a part of your job.

And finally, even if you did compile a report and it is waterproof and it is yours exclusively, it very much depends on the "else". What if they just say "no thanks"? Selling that report to someone else is illegal. So you have exactly one legal buyer and that buyer knows it. Does not sound like a great bargaining position.

If you approach them, it takes a lot of skill and maybe a bit of legal training to make sure it does come across as an offer of "good business". I think it would be easy to be misinterpreted as either blackmail or selling them knowledge they legally probably already own.

So unless you are certain you can fit into that "good business" model of selling your work compiling a report, instead of selling the knowledge of their secrets, it might be safer to not do that.

If they approach you, it should not be a problem, but if you approach them, it will be a mess, no matter how well you mean it.

Answer 3

Answering this part of the question:

you notify the company of a vulnerability and give them plenty of time to take care of it. Typically, if the company doesn't do anything about it, the person will publicly disclose the vulnerability to get the full attention of the company (full disclosure). What are the legal implications of full disclosure?

Consider this analogy:

Alice lives with Bob and learns that he has a peculiar medical vulnerability: if one pulls his left nipple and his right earlobe simultaneously, he well may suffer a severe heart attack.

She tells him that he should fix it but he won't.

She leaves him and posts this ad: "Wanna cause Bob a heart attack? Here is how.".

Legal implications: breach of confidentiality, and, if someone uses Alice's info to kill Bob — accessory to murder.

Answer 4

Why would that be any different from skills you learned while at the company, you quit, and now they want you to help them with a problem that only you know about? Are you obligated to help them free of charge?

What if you said, "Hey Jim, I know a way you could increase the throughput on your network and stop paying rent on half your fleet. Want me to tell you how?" Are you obligated to tell them free of charge? Would be be in contempt of court if you didn't?