lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <035C362A-4283-45BA-80E3-4D77D444BE16@owasp.org>
Date: Sun, 8 Jun 2014 09:43:41 -0400
From: Daniel Wood <daniel.wood@...sp.org>
To: Paul Vixie <paul@...barn.org>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Responsible disclosure: terms and conditions

Keep in mind you can always be sued. No matter what 'legal' document you may have. I'm the third down on that attrition list. 

This brings to mind this recent blog from John Strand: http://pen-testing.sans.org/blog/pen-testing/2014/06/04/five-things-every-pen-tester-should-know-about-working-with-lawyers

Not specifically regarding disclosure but worth the read. 

Daniel

> On Jun 8, 2014, at 7:03 AM, Paul Vixie <paul@...barn.org> wrote:
> 
> 
> 
> Pedro Ribeiro wrote:
>> ...
>> 
>> I am not a lawyer, so I would like everyone's opinion (lawyer or not)
>> on whether this would actually provide any protection.
> 
> i am not a lawyer either. i started MAPS, the first anti-spam company,
> in 1997 or so, and became the most-sued person i know. i may be the
> most-sued person you'll ever know. and i've been sued by some experts. so:
> 
>> I had this idea of making Terms & Conditions that you would send to a
>> vendor prior to disclosing the vulnerabilities. The vendor (or someone
>> responsible) would have to accept these terms by replying to your
>> email and only then you would reveal the vulnerabilities. If they
>> didn't accept, you would release them to the public (full disclosure)
>> immediately.
> 
> this is concerning, for two reasons.
> 
> first, for enforceability, a contract requires exchange of
> consideration. what's yours? i can see that the vendor is receiving
> something of value (the disclosure) but it's not clear what you're
> getting in return beyond the opportunity to have your good deeds go
> unpunished. absence of a negative does not amount to a positive in the
> eyes of the law.
> 
> you're also treating this as a one-off. i suggest you make it
> continuous, and make continuity be a value they are trading for. so,
> make this a relatively standard bilateral NDA stating the violation by
> them will result in (a) cancellation of the NDA, (b) unwillingness by
> you to enter into another NDA with them for three years, and (c) naming
> and shaming them for who they are and what they did, over on slashdot.
> 
> it's generally good text other than these structural matters. you'll
> want a real lawyer to look at it before you try to use it, and maybe
> before you process my suggestion above. we have two non-practicing
> lawyers in the computer security field, david dagon and anne mitchell.
> let me know if you'd like an introduction to either.
> 
> vixie
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ