lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Jun 2014 08:23:05 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Responsible disclosure: terms and conditions

As you all know, responsible disclosure can be hard.
You want to do the right thing, give the vendor some time to fix the
issue, protect its customers, etc; but the first thing the vendor does
is to threaten to sue / arrest / beat up / kill you.

Fortunately this is happening less and less, but there are still
plenty of examples as it can be seen in
http://attrition.org/errata/legal_threats/.

I had this idea of making Terms & Conditions that you would send to a
vendor prior to disclosing the vulnerabilities. The vendor (or someone
responsible) would have to accept these terms by replying to your
email and only then you would reveal the vulnerabilities. If they
didn't accept, you would release them to the public (full disclosure)
immediately.

I am not a lawyer, so I would like everyone's opinion (lawyer or not)
on whether this would actually provide any protection.

==== snip ====

TERMS AND CONDITIONS v0.1
=========================

The "RESEARCH" are the findings, vulnerabilities, proofs of concept
and any information provided by the researcher.
The "RESEARCHER" is <Your name, title, company and / or email here>,
unless otherwise noted.
"YOU" refers to the person or institution that produces, distributes
or commercializes the product.
"PRODUCT" is the application, hardware or software that was analysed
by the researcher.

The research provided to you is the sole intellectual property of the
researcher. It is shared with you in accordance with the terms set
below:

1- You will not attempt to threaten or prosecute the researcher in any
jurisdiction.

2- No guarantees are made with regards to the accuracy of the research.

3- The research is result of many hours of analysis, testing,
inspection and / or reverse engineering of your product, as allowed by
the "Security Exception" of the Digital Millenium Copyright Act and
the equivalent European Union law.

4- The researcher cannot and will not give you advice, test or provide
any feedback regarding a possible fix unless contracted to do so by
you.

5- This research is intended to be released to the public in order to
enhance the security of your product and allow your customers to
protect themselves.
The researcher will wait for a reasonable amount of time before
releasing this information in order to allow you to provide a fixed
version of your product. Normally this will be 30 days, but exceptions
might be made solely to the discretion of the researcher.

6- The fixed version of your product will have to be provided by you
to your previous and current customers completely free of any charge.

7- It is appreciated if you mention the researcher's name when
providing the fixed version of your product.
Monetary rewards are highly appreciated but not expected in any way.

==== snip ====

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ