lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 08 Jun 2014 11:23:08 -0700
From: Paul Vixie <paul@...barn.org>
To: "codeinject.org" <exploit@...einject.org>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Responsible disclosure: terms and conditions



codeinject.org wrote:
> any lawyer will dismiss this in court stating it was signed under duress.

in my proposed model, the only recourse a researcher has against vendor
nonperformance is future silence. in your scenario above the lawyer in
question would be trying to argue that future silence was in some way
inappropriate.

> Also it sounds an awful lot like blackmail.

"i wish to enter into a no-fee relationship with you wherein you will
receive certain valuable information at no monetary cost. the only
requirement you would have to meet in order to receive this and future
potentially valuable information is absolute fidelity to this
nondisclosure agreement."

doesn't sound like blackmail to me, not even a little bit. and i've been
sued by experts. and it's what i wish i'd tried instead of doing the
BIND Forum (criticized as a form of "pay for play"), back when
CMU-CERT's lossy predisclosure chain screwed me for what i swore would
be the last fscking time.

>
> I think you should either make the gamble, or let a ZDI, Exodus, VUPEN etc
> do the disclosure on your behave.
>
> or just go full diclosure on them =)

those are all lose-lose propositions. i say shoot for a win-win and let
lose-lose be the recourse ("fallback position").

vixie


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists