RE: Non Disclosure Agreements

["Allan Schon" <allanschon () mckinleymachinery com>]

They are trying to protect thier business, and I cannot fault them for that, 
as long as they are fixing the vulnerabilities, and not relying on obscurity
to prevent an exploit. 

Consider trying to write in a provision by which you can alert bugtraq, after
the patch has been written and proven effective.  Perhaps you'll have to give
them a certain period of time to apply the patch to thier systems first.



-----Original Message-----
From: Tim Heagarty [mailto:Tim () TheaSecure Com]
Sent: Thursday, May 08, 2003 1:09 PM
To: security-basics () securityfocus com
Subject: Non Disclosure Agreements


I have a potential client that wishes me to go to their customer's site and
perform various normal analysis activities on a system that the client has
written and installed at the customer's site. My client wants me to produce
a NDA with them that would contain the following points.

I can only disclose vulns in the system to the customer and to my client.
The customer cannot disclose vulns that I find in their system to anyone but
the vendor/my client.

These are large public systems that are used by thousands of end users and
contain great potential for customer harm if the system has a problem that
is not immediately repaired. A small vuln would allow thousands of private
records to be exposed.

I feel like my hands would be tied. If I found something that I felt was
major and the vendor did not then I could not expose it to bugtraq or
anywhere else to protect the safety and privacy of the end user. Not even
the vendor's customer could expose the holes in their system without the
vendor's approval.

Have you folks run across this before? What did you do? Any ideas?

Tim Heagarty CISSP, MCSE
http://www.TheaSecure.com/
"There are only 10 kinds of people in the world, those that understand
binary, and those that don't."


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------



---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
----------------------------------------------------------------------------