lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 08 Jun 2014 12:00:26 -0700
From: Eric Rand <>
To: Paul Vixie <>
Subject: Re: [FD] Responsible disclosure: terms and conditions

Hash: SHA1

This sounds like modified prisoners' dilemma to me:

Prisoner 1 (the researcher):
Cooperate: give information to the company
Not-cooperate: deny information, release publicly

Prisoner 2 (the company):
Cooperate: don't sue the researcher
Not-cooperate: sue the researcher

With the result table of:

[cooperate][cooperate] - Company gets vuln info; researcher doesn't
get sued.
[cooperate][no-cooperate] - company gets vuln info; researcher gets sued
[not-cooperate][cooperate] - researcher discloses vuln publicly;
company sues
[not-cooperate][not-cooperate] - researcher discloses vuln publicly;
company sues

With [nc][c] being a case where the researcher doesn't bother making
themselves known to the company, for this to hold true.

As I recall, the optimal strategy for that situation is to cooperate
until the other party doesn't, and then no longer cooperate at all.

I think that in a situation where the researching community -as a
whole- acted as the 'researcher' in this situation, i.e. if a company
sues a researcher, then no researcher discloses vulns about that
company's products to the company before public release, that would
most closely model the win/loss strategy and make it very easy for all
parties to understand the situation.

And since, despite the fact that humans are not rational, we keep on
trying to assume people act in a rational and informed manner,
rational actors would behave according to the optimal strategy--to
cooperate until they get betrayed.

That's my two cents on the matter, anyway.

- --ER/

On 06/08/2014 11:23 AM, Paul Vixie wrote:
> wrote:
>> any lawyer will dismiss this in court stating it was signed under
>> duress.
> in my proposed model, the only recourse a researcher has against
> vendor nonperformance is future silence. in your scenario above the
> lawyer in question would be trying to argue that future silence was
> in some way inappropriate.
>> Also it sounds an awful lot like blackmail.
> "i wish to enter into a no-fee relationship with you wherein you
> will receive certain valuable information at no monetary cost. the
> only requirement you would have to meet in order to receive this
> and future potentially valuable information is absolute fidelity to
> this nondisclosure agreement."
> doesn't sound like blackmail to me, not even a little bit. and i've
> been sued by experts. and it's what i wish i'd tried instead of
> doing the BIND Forum (criticized as a form of "pay for play"), back
> when CMU-CERT's lossy predisclosure chain screwed me for what i
> swore would be the last fscking time.
>> I think you should either make the gamble, or let a ZDI, Exodus,
>> VUPEN etc do the disclosure on your behave.
>> or just go full diclosure on them =)
> those are all lose-lose propositions. i say shoot for a win-win and
> let lose-lose be the recourse ("fallback position").
> vixie
> _______________________________________________ Sent through the
> Full Disclosure mailing list 
> Web Archives & RSS:
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists