lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <9698DBC9-E49A-4B53-B1AF-A06BFDDB58CA@owasp.org> Date: Sun, 8 Jun 2014 15:40:26 -0400 From: Daniel Wood <daniel.wood@...sp.org> To: Dave Warren <davew@...eahit.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Responsible disclosure: terms and conditions Should also point out that getting E&O insurance is a good idea. Daniel > On Jun 8, 2014, at 1:34 PM, Dave Warren <davew@...eahit.com> wrote: > >> On 2014-06-08 04:03, Paul Vixie wrote: >> this is concerning, for two reasons. >> >> first, for enforceability, a contract requires exchange of >> consideration. what's yours? i can see that the vendor is receiving >> something of value (the disclosure) but it's not clear what you're >> getting in return beyond the opportunity to have your good deeds go >> unpunished. absence of a negative does not amount to a positive in the >> eyes of the law. > > Indemnity is definitely consideration. I'm not sure that "1- You will not attempt to threaten or prosecute the researcher in any jurisdiction." is sufficient though, but something similar in appropriate legalese would possibly do the trick. > > There also needs to be an enforcement or penalty clause that is mutually agreeable (and this is probably where most companies will start to wonder if agreeing is worthwhile). A contact without an enforcement clause is mostly useless since a violation will, at most, allow the opposing party to disregard the contract. This works great in a "I will mow your lawn as needed for $80/week" contract, in which case in the event of a breach, the other party would stop complying with their terms. > > In this case, the vendor has on ongoing obligation to not sue, whereas the researcher has completed their portion as soon as they reveal the information to the company (or as soon as they complete a defined responsible disclosure period). If the company chooses to pursue legal action against the researcher, the researcher has no remedy in the contract. > > At a minimum, agreeing to limit damages in the event of any and all legal actions resulting from researching and disclosing the vulnerability would be a start. > > Still, I like the idea, especially if it's something that a reasonable number of researchers use. > > -- > Dave Warren > http://www.hireahit.com/ > http://ca.linkedin.com/in/davejwarren > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists