lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: ericscher at (Eric Scher)
Subject: Re: security related contract

 ~ "One of our customers asked us for a machine that would
ensure their local network security. Our commercial representative came
and asked if I had a solution for them. {blah, blah, blah...}, asked what 
guarantees could I offer and if I had a sample contract for such services. 
Now my fellow posters, I ask for thy help. Could anyone help me with such
a contract? ~

You may not be old enough to remember Western Union Telegrams, but on the back of the form, if you read the contract, they were basically agreeing to ATTEMPT to deliver your message, and nothing more. They could fail or deliver by slow turtle, and they still weren't responsible.
Keep that concept in mind. You want to write a simple contract, don't try to fill it with legalese that you barely understand, and don't PROMISE any results. As we all know, there really is no absolute protection from 0-Day exploits, other than they old "unplug and throw in the river" method that has certain practical problems. Lets not even go INTO the End Luser and all the problems that he/she can cause.
DON'T try to make it iron clad, because iron clad contracts can be a PITA. Trust me.
Just make a contract promising to TRY to keep his systems healthy and secure and in a GENERAL way how you intend to go about doing so. 
Do NOT promise that nothing can go wrong, because that's exactly what WILL happen if you have promised that it wont.

Powered by blists - more mailing lists