Re: It takes two to tango

["Kyle R. Hofmann" <krh () lemniscate net>]

On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget wrote:
> IMHO, vendors SHOULD be responsible for security holes.

What, precisely, do you mean by "responsible"?  Do you mean "monetary liable"?

Suppose I find a remotely exploitable flaw in a major open source project,
such as BIND or sendmail or Apache.  I communicate the flaw to the vendor.
It responds quickly, confirming my find and working with system integrators
to release patches.  The patches are well publicized and widely available.
Subsequently a black hat releases an aggressive worm which exploits this
vulnerability.  It does $1 million in damages.  Is the vendor (ISC, Sendmail
Consortium, Apache Foundation, etc.) now liable for $1 million in compensatory
damages?  If so, is it also liable for punitive damages because it should
never have introduced that bug in the first place, even though it did its
best to respond?

Put another way, if I'm Microsoft and I want to destroy open source, should
I start looking for vulnerabilities in big open source projects?

> However,
> before that can be done there needs to be some kind of law put in
> place to protect the researchers who find the holes.  Doesn't need to
> be much, just a blanket law that if the researcher has taken
> reasonable steps to alert the vendor, they cannot be held liable for
> the consequences of releasing the advisory. If that doesn't happen,
> things are going to get messy.

Reasonable steps is a very vague term.  You have made the point that the
researcher needs protection from an unreasonable vendor, but vendors
also need protection from unreasonable researchers.  Any system which
unfairly protects either side courts abuse.

-- 
Kyle R. Hofmann <krh () lemniscate net>