Disclaimer: I’m not a lawyer, either, so I’m commenting only on ethics and the expected behavior on this site.

I believe that anything that could be observed by visiting a publicly-accessible website, viewing the site’s source code, or watching the traffic to/from the client while visiting the site is fair game for public posting and discussion. This covers quite a bit of territory.

Where I believe someone might cross the line into unethical behavior is if they:

1. Perform full penetration or vulnerability scanning against a site without the owner’s permission, especially if such a scan carries risks to the site or if it requires making requests that are substantially different or much higher volume than those generated by ordinary user visits to the site.
2. Publish or make available to someone without authorization of the site owner a vulnerability in that site that is not widely known and that isn’t the cause of a current compromise.

A reasonable comparison would be physical security of a building on a public street. Suppose someone notices in the police blotter section of a newspaper that my house has been broken into three times. He decides to drive by my house, snap a photo of the front, and publish it in a newspaper column, along with an explanation of why he thinks the house might have been a target (e.g., no exterior lights), the apparent result of the last break-in (the cut screen on the front window), and a few things that could be done to make it safer (install a porch light). That seems well within his (and the newspaper’s) rights, even if somewhat alarming to me as the homeowner.

On the other hand, if this guy started casing my house, tapping on the walls with a hammer, etc., and then published a column about the valuables to be found inside my house, the details of my daily routine, and the fact that I have a key hidden under the doormat, that wouldn’t be okay at all.

As for free online scanning services, I’d say the need to verify site ownership depends on the type of scanning and the results that are provided. When verification is called for, I’d expect the vendor to go beyond an honor system (i.e., asking the user to affirm that s/he is the site owner) and actually verify the user’s credentials, as Google’s Webmaster Tools does by requiring the owner to make a change to the site’s contents.

With regard to BadwareBusters.org, I want to reiterate that the purpose of this site is to encourage open discussion about fighting badware. This requires the members of the community to balance the need for discretion, as indicated above and in Denis’s and John’s posts, with the requirement of transparency. One thing we definitely don’t want to see this site turn into is a marketplace with vendors just hawking their wares to everyone who comes in looking for help. This is why we ask vendors to refrain from soliciting business (paid or unpaid) except as a by-product of providing valuable public guidance to the original poster.