Bugtraq mailing list archives

Re: It takes two to tango

From: Tom Perrine <tep () SDSC EDU>
Date: Wed, 31 Jul 2002 10:53:04 -0700

On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget <ivegotta () tombom co uk> said:


    CP> <snip>

    >> "Ferson also said that HP reserves
    >> the right to sue SnoSoft and its members "for monies
    >> and damages caused by the posting and any use of the
    >> buffer overflow exploit."

    CP> This raises a very interesting point.  Bruce Schneier has stated
    CP> publicly that he believes vendors should be held responsible for
    CP> security flaws in their products
    CP> (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html).  I
    CP> agree with this viewpoint, as, I am sure, do many people on this list.
    CP> However, how would this affect the vulnerability disclosure process?

Others, even some lawyers, agree:

http://www.gocsi.com/pdfs/byte.pdf

Erin also had a similar article in ;login: (requires USENIX
membership):

http://www.usenix.org/publications/login/2001-12/pdfs/kenneally.pdf

and most recently in IEEE Computer:

http://www.computer.org/computer/co2002/r6toc.htm

-- 
Tom E. Perrine <tep () SDSC EDU> | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     |

Current thread:

Re: It takes two to tango Riad S. Wahby (Jul 31)
- Re: It takes two to tango Derek D. Martin (Jul 31)
- it's all about timing Florin Andrei (Jul 31)
  - Re: [Full-Disclosure] it's all about timing John Scimone (Aug 01)
- <Possible follow-ups>
- RE: It takes two to tango Scott, Richard (Jul 31)
- Re: It takes two to tango Greg A. Woods (Jul 31)
  - Re: It takes two to tango Chris Paget (Jul 31)
- Re: It takes two to tango Tom Perrine (Jul 31)
- Re: It takes two to tango Branson Matheson (Jul 31)
- Re: It takes two to tango Kyle R. Hofmann (Jul 31)
- RE: It takes two to tango Mark L. Jackson (Jul 31)
- RE: It takes two to tango John Howie (Jul 31)
- Re: It takes two to tango Randy Hinders (Jul 31)
- Re: It takes two to tango Ltlw0lf (Aug 01)