lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 08 Jun 2014 10:34:41 -0700
From: Dave Warren <davew@...eahit.com>
To: Paul Vixie <paul@...barn.org>, Pedro Ribeiro <pedrib@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Responsible disclosure: terms and conditions

On 2014-06-08 04:03, Paul Vixie wrote:
> this is concerning, for two reasons.
>
> first, for enforceability, a contract requires exchange of
> consideration. what's yours? i can see that the vendor is receiving
> something of value (the disclosure) but it's not clear what you're
> getting in return beyond the opportunity to have your good deeds go
> unpunished. absence of a negative does not amount to a positive in the
> eyes of the law.

Indemnity is definitely consideration. I'm not sure that "1- You will 
not attempt to threaten or prosecute the researcher in any 
jurisdiction." is sufficient though, but something similar in 
appropriate legalese would possibly do the trick.

There also needs to be an enforcement or penalty clause that is mutually 
agreeable (and this is probably where most companies will start to 
wonder if agreeing is worthwhile). A contact without an enforcement 
clause is mostly useless since a violation will, at most, allow the 
opposing party to disregard the contract. This works great in a "I will 
mow your lawn as needed for $80/week" contract, in which case in the 
event of a breach, the other party would stop complying with their terms.

In this case, the vendor has on ongoing obligation to not sue, whereas 
the researcher has completed their portion as soon as they reveal the 
information to the company (or as soon as they complete a defined 
responsible disclosure period). If the company chooses to pursue legal 
action against the researcher, the researcher has no remedy in the contract.

At a minimum, agreeing to limit damages in the event of any and all 
legal actions resulting from researching and disclosing the 
vulnerability would be a start.

Still, I like the idea, especially if it's something that a reasonable 
number of researchers use.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists