Re: It takes two to tango

[Chris Paget <ivegotta () tombom co uk>]

<snip>

>    "Ferson also said that HP reserves
>    the right to sue SnoSoft and its members "for monies
>    and damages caused by the posting and any use of the
>    buffer overflow exploit."

This raises a very interesting point.  Bruce Schneier has stated
publicly that he believes vendors should be held responsible for
security flaws in their products
(http://www.nwfusion.com/columnists/2002/0422faceoffyes.html).  I
agree with this viewpoint, as, I am sure, do many people on this list.
However, how would this affect the vulnerability disclosure process?

1)  Researcher R finds a security hole in vendor V's product.
2)  R attempts to contact V to reveal the bug.
3)  V does not respond.
4)  R attempts communication several times over the next 90 days, but
never receives a response.
5)  R releases an advisory.
6)  Attacker A writes an exploit for the hole, and uses it to hack
into company C.
7)  C successfully sues V for several million dollars compensation.

Does V still have the right to sue R?  If vendors are made liable for
security holes, and those vendors have the right to sue the people who
find advisories and / or release exploits, then we'll be seeing
security researchers on the wrong end of multi-million dollar
lawsuits.  I'm sure I'm not the only person who feels uncomfortable
about this.  Buffer overflow exploits are not difficult to write; it
doesn't come down to whether there's exploit code or just an advisory.

IMHO, vendors SHOULD be responsible for security holes.  However,
before that can be done there needs to be some kind of law put in
place to protect the researchers who find the holes.  Doesn't need to
be much, just a blanket law that if the researcher has taken
reasonable steps to alert the vendor, they cannot be held liable for
the consequences of releasing the advisory. If that doesn't happen,
things are going to get messy.

Chris

-- 
Chris Paget
ivegotta () tombom co uk