lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: spamproof at nospammail.net (Rob)
Subject: Fwd: NDA & SOX?

Jason Coombs wrote:
> Christoph Gruber wrote:
>  > If a manufactorer of software gets to knowledge of a certain weakness
>  > (vulnerability), does he have to inform the public immediatly?
>  > Is it even worse, if the manufactorer forces everyone, who has
>  > knowledge about that thing, to sign NDAs?
> 
> Let me take your question a little further... Suppose you are a 
> "Director" of a public company, and you have knowledge of design flaws 
> and vulnerabilities designed into a software product on purpose?
> 
> The flaws harm investors, they harm the public, they harm information 
> security in general. They are unethical. You inform the company that the 
> flaws exist, and nothing is done about them. Instead, you're slowly but 
> forcefully pushed out of the company.
> 
> You've signed an NDA.
> 
> What do you do?
> 
> Regards,
> 
> Jason Coombs
> jasonc@...ence.org

You send a certified, anonymous regular US postal letter directed to:

The Company in Question
The Executive Audit Committee
Attention SOX Section 301

According to SOX the company is supposed to create special processes for 
handling any type of correspondence to the Audit Committee and to assure 
that only the audit committee members see the contents.

Be sure not to get your fingerprints on the paper or envelope and mail 
it from a small post office far from your normal post office.
Use gpg (with a unique key specially created just for your 
correspondence to the audit committee) to sign the text [which should 
include the number from the certified mail label (pick this up from the 
post office prior to printing out the letter)] - this, combined with the 
canceled certified mail receipt will allow you to prove that you 
reported the situation if/when they try to implicate you. But if you 
were/are a director you should do it soon to protect yourself, now that 
you have made public that you have such information .

And I don't want to be rude, but *please* either put up or shut up about 
your fight with your former company. Please, either "fully disclose" 
whatever you are alluding to in the above or keep it private. To quote you:
"Disclosure is something that good people do. Non-disclosure is 
something that bad people do."

I could be wrong but with this topic you seem to have sailed beyond the 
edge of the FD List Charter.

But then again, I am not a lawyer or moderator, so take it FWIW...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ