Concerns of a Security Researcher in a DMCA world

["mplsmith () gmail com" <mplsmith () gmail com>]

I've recently been confronted with a question worthy of public debate.
According to the DMCA Copyright Law (http://tinyurl.com/cqdft ) TITLE
17,CHAPTER 12,§1201 Subsection (J) the law permits copyright law exceptions
for security researchers. I assume we are all aware or at least heard of
this section of the law however it contains wording which is confusing in
general and even more when interpreted into real life scenarios.

A copyright according to what I've personally researched is "a limited
license to exploit an idea for commercial purposes" which I interpret as an
exclusive right to profit from an idea which seems to be straight forward
and fair in its simplest form.

Software vendors are not successfully identifying and fixing vulnerabilities
in software. As described by Richard Clark (
http://news.com.com/2100-1001-947409.html), independent security researchers
have a major and ever growing role in the security of software used by
consumer, businesses, government, and other critical infrastructures.

If copyright laws were originally designed to only ensure their owners
exclusive rights to profit from a copyrighted item, and DMCA specifically
permits exceptions for security testing then what exact actions/behavior are
researchers permitted to do?

In my experience as a security researcher I have reviewed software as a
consultant for customers, reviewing their software under contract and been
paid for my services. I've also reviewed software on personal interest which
has successfully led to patches and security improvements which is the focus
of concern.

A problem arises when we review publicly released software not under direct
request
by the vendor. A simple example is software such as Winamp; its basic
version can be downloaded freely without any cost to us and therefore making
it easy to obtain, and review. The Winamp PRO version is a different story;
this version requires consumers to pay $19.95 thus making it difficult for
security researcher to easily obtain a copy and therefore unable (without
wasted expenses) to have the capability to review this popular product in
any reasonable way.

The security exception portion of the current copyright law was designed to
ensure that the copyright law does not restrict, hinder or impact the
ability for vulnerability research to be performed regarding copyright
restricted items.

What method of acquiring software is ethical, legal, and most importantly
realistic for researchers to succeed in performing much needed research?
Should security researchers be required to pay for software that they only
review but never use? Is there a different between borrowing a copy of
software vs downloading it from "other" sources? Should vendors be able to
deny researchers from reviewing their software either by requiring
permission or forcing researchers to pay for the software without ever using
it as it is intended?

I have spent a lot of money acquiring software which I have no interest in
owning only to permit the capability to review software for the benefit of
improving or security. I commonly find myself in legal uncertainty regarding
what software I can legally review and how it can be obtained. The question
is, why should security researchers need to pay full price and maintain huge
budgets to obtain all software which they reviewed. If this is the only
legal way then how can a researcher realistically review software such as
Oracle without paying unrealistic/impossible amounts to money simply to do
research?

According to the DMCA law many exceptions are permitted, the Reverse
Engineering exception (TITLE 17,CHAPTER 12,§1201 Subsection (F)) states "a
person who has lawfully obtained the right to use a copy of a computer
program may circumvent a technological measure" which makes total sense to
ensure cracking of software is illegal.

In contrast to the Reverse Engineering exception requiring lawful obtaining
of a program, the Security Testing copyright exception (TITLE 17,CHAPTER
12,§1201 Subsection (J)) does not state anything about how the software is
obtained. Security testing is also incorrectly defined as "accessing a
computer, computer system, or computer network, solely for the purpose of
good faith testing, investigating, or correcting, a security flaw or
vulnerability, with the authorization of the owner or operator of such
computer, computer system, or computer network". This definition as it is
could never describe a valid copyrighted item and also has nothing to do
with reviewing applications/programs for vulnerabilities. Vulnerabilities
are specifically found in "computers, computer systems, or computer
networks" they are found within software applications which execute. on a
computer (such as BIOS software), execute on a computer system (such as
software applications), or execute on devices (such as IOS software) which
when inner connect makeup a computer network.

How can security researchers succeed in this situation without being
performing actions which may be construed as illegal due to the confusing
(grey area) of the law? Are we expected to pay out unreasonable amounts of
revenue to software vendors without a return thus forcing the research
industry into a negatively profitable line of work? Is the industry
permitted to research only at the mercy of the software vendors which truly
receives no positive return from independent security research?