What should our policy about asking for practical advice on breaking security be?

Question

This recent question asks how to fix a tool for scanning for duplicate R values. There are two major purposes for a tool like this:

• Researching how common a security vulnerability is, and
• Exploiting that vulnerability to steal money.

Based on the context, it does seem like the latter is more likely. However the response to him seems needlessly hostile. Ideally, we'd just point to a policy on meta, close the question, and suggest that they make a new post on meta if they feel that the closing was unwarranted.

I do think we should have a rule against questions like this. In the interest of having an explicit rule, though, I have two questions:

• Should we favor an intent based test? This has the advantage of being simpler, but is pretty subjective. (For example, I think the asker here wouldn't have been questioned about the purpose of the code if they wrote fluent English.)
• Should we have a rule against posting code that exploits or scans for a vulnerability?

Related: meta.security: What determines if a question should be considered Blackhat?

Close reason

When closing a question because of this, you can use this close reason:

I'm voting to close this question as off-topic because it asks how to exploit a real-world system, and fails the three part test talked about [here](https://bitcoin.meta.stackexchange.com/a/685). (completeness, potential for evil, potential for good)

Answer 1

(Sorry, this came out way longer than I intended....)

I for one am against any form of a complete ban. Instead, I'd prefer a policy based on several subjective factors (which can evolve as necessary).

Of course, this unfortunately means that errors in judgement can (and will) be made, but I find the complete-ban option too censorious an alternative.

If I were to start a list of such factors, I'd include:

• completeness - does the question ask for a turn-key solution to do harm, or a single piece of a potential harm-puzzle
• potential to do harm - what is the likelihood that a good answer could result in actual loss, whether executed by the questioner or by any other visitor of this site (noting that vulnerabilities which have already been well explored and exploited by black-hats aren't effective targets for newbie black-hats)
• potential to do good for research or education (I have no trouble pointing out Electrum's weak key stretching if it encourages Electrum users to use longer passwords)

After consideration, I'm not sure I'd include "intent" in this list. We can't possibly know the intent of all of the other visitors to any given answer, so I'm not sure why the intent of one particular viewer of the answer should be given a high weight.

As an alternative argument, if the question were "should a user's inferred intent affect punitive actions against the user", I'd say Yes. But I think the question here is "is this question and any associated answers good for Bitcoin.SE", and I think the questioner's intent should be irrelevant.

If I were to apply these three factors to the question at hand, I'd personally find that:

• completeness - the question doesn't ask for a script that actually sweeps vulnerable keys, but it comes close... this one's very gray IMO
• potential to do harm - pretty low; I'm fairly confident that real-time scanning and sweeping of vulnerable keys is already done by black-hats, and possibly by white-hats as well, so I doubt such a script would be of any further harm
• potential to do good - also pretty low, although it might be interesting to see some statistics on vulnerable keys

I probably wouldn't vote to close this particular question based on the above, but it's close enough that I'd have no trouble with someone who thought otherwise.

(Note that it's still a poorly-formatted question with a very uninteresting answer, and I'd certainly consider down-voting it.)