OJS Security Threats and Legal Liabilities

OJS Security Threats and Legal Liabilities

OJS Security Threats and Legal Liabilities

Open-source software like OJS forms the foundation of much of the software we use today. Access to freely available open-source code allows developers to quickly create and improve software. This lowers the cost of development and allows software companies to stay ahead of the competition.

But, there are potential security challenges with using open-source software that should not be ignored. Aside from damage to your publishing business reputation and the cost in time and money to fix, OJS security vulnerabilities can expose you to legal liability through tort law.

Tort Liability


Tort law is simply the legal obligation of one party to the victim resulting from a civil wrong or injury.

Open-source software licenses can present potential tort liability for negligence and other forms of product liability. Software can cause both property damage and economic loss to businesses running that particular software. According to renowned technology lawyer, Jeffrey Kosc, there are the three scenarios in which a company can be held liable:

  1. If an organization has warranted that their software is secure (Duty of Care and Disclosure).
  2. If the organization failed to react quickly to the attack (Breach of Duty).
  3. If an organization was attacked and that resulted in subsequent loss of private information (Damages).

The above scenarios apply both to publishers using OJS as well as the developer of the software, in the case of OJS, Public Knowledge Project (PKP).

Legal Negligence


The definition of negligence is:

The failure to do an act which a reasonably careful person would do, or the doing of an act which a reasonably careful person would not do, under the same or similar circumstances to protect oneself or others from bodily injury, death, property damage.

Plaintiffs in a civil lawsuit pertaining to software would have to be able to cite negligence as a cause of action where a vendor did not achieve its duty to take steps to mitigate security vulnerabilities and as a result, caused harm to the plaintiff. A good example of this is the recent Yahoo Gross Negligence Lawsuit Over Hacking.

Typically, negligent conduct involves a direct action, such as hitting a pedestrian in an intersection or rear-ending another person’s vehicle. However, negligent conduct can also include inaction, such as the failure of a software vendor to make regular disclosures about the security vulnerabilities of their software.

There are generally 4 accepted parts to any civil negligence case:

  1. Duty of Care
  2. Breach
  3. Causation
  4. Damages

Duty of Care


Vendors have a duty to take reasonable care when it comes to the security of their software. PKP is the creator of Open Journal Systems (OJS) which is the open-source publishing software used by many universities, researchers, and publishers for their journals. According to PKP, more than 10,000 institution are using this software worldwide (the actual number is much higher). As part of their Duty of Care, PKP needs to provide regular and full vulnerability disclosures. This is a critical component for the support of any open-source software.

However, in a recent announcement, PKP has denied OJS security threats by stating, “Just to be clear, our software has been and continues to be secure without the use of any third-party products or services, and we reaffirm our diligence in the timely reporting of any real reported security vulnerabilities.”

Breach


A software vendor is in Breach of their Duty of Care if they fail to react quickly to an attack or make regular disclosures regarding security vulnerabilities.

Form 2001 – the launch of the first version of OJS – until 2017, PKP has failed to make a single news release about OJS security vulnerabilities. In fact, all the security announcement pertaining to OJS came through third-party organizations.

In comparison, both WordPress and OJS are open-source software being use to manage content. One can even argue that OJS, a journal management software, does contain more sensitive data than a regular WordPress site. However, unlike PKP, WordPress have made regular, detailed announcements regarding the security of their software via their blog. In 2016 alone, WordPress made 5 announcements detailing some security issues and the urgency for an upgrade!

Causation


As a result of the Breach of the Duty of Care, which should include providing regular patch and disclosure, hackers have been able to take advantage of security loopholes and cause damage and there has been a sharp increase in Open Journal Systems (OJS) hacking incidents. This is evident by the multiple tutorials available on how to hack OJS (See OJS Hacking Tutorials on Google Search) and significant reports of hacking incidents by publishers using OJS. In one recent incident involving a NY college, the NY State Police Cybercrime Unit had to be called to investigate.

Damages


Publishing sites using OJS have databases containing detailed information about the researchers, which attackers can use for identity theft and fraud. Furthermore, hackers can access, steal, or alter unpublished manuscripts or even publish bogus research. As well, there is the possibility of compromising the entire server security and causing a total site malfunction.

Conclusion


With the use of Open Journal Systems publishing platform on the rise, it is imperative to have a process in place to manage any potential vulnerabilities. Regular disclosure, patches, and transparency about OJS security issues allows publishers to take action immediately should a vulnerability be discovered and therefore avoid any possible financial or legal liability.

Works Cited or Consulted


Clayton M. Open source software research [Internet]. DavidDFriedman.com [Cited Apr 26, 2017]. Available at:
http://www.daviddfriedman.com/Academic/Course_Pages/21st_century_issues/21st_century_law/open_source_legal_01.htm

High Tech Bridge. Multiple vulnerabilities in Open Journal Systems (OJS) HTB23079 [Internet]. San Francisco: Author; 2012. Available at:
https://www.htbridge.com/advisory/HTB23079

The Law Dictonary. What is tort liability? [Internet]. Black’s Law Dictionary. Available at:
http://thelawdictionary.org/tort-liability/

McCormic and Murphy PC. Understanding the 4 elements of negligence [Internet]. Denver, CO: Author [Cited Apr 26, 2017]. Available at:
https://www.mccormickmurphy.com/diy/liability/negligence/

PKP Community Forum. User posts. Does removing the register from top ribbon increase security? [Internet] 2017. [Cited Apr 26, 2017]. Available at:
http://forum.pkp.sfu.ca/t/does-removing-register-from-top-ribbon-increase-security/30195/6

PKP Community Forum. User posts [Internet]. Available at:
http://forum.pkp.sfu.ca/search?q=hack

Protecode.com. Security vulnerabilities and liabilities in software. Kanata, ON: Author; nd.

Public Knowledge Project. Regarding Open Journal Systems hacking epidemic and solutions [Internet] 2017. Available at:
https://pkp.sfu.ca/2017/01/30/regarding-open-journal-systems-hacking-epidemic-and-solutions/

Stempel J. Yahoo sued for gross negligence over huge hacking [Internet] 2016. Reuters. [Cited April, 26, 2017]. Available at:
https://ca.news.yahoo.com/yahoo-sued-gross-negligence-over-huge-data-breach-213708408–finance.html

Share this post