Full Disclosure mailing list archives

Re: Responsible disclosure: terms and conditions

From: Paul Vixie <paul () redbarn org>
Date: Sun, 08 Jun 2014 04:03:09 -0700



Pedro Ribeiro wrote:

...

I am not a lawyer, so I would like everyone's opinion (lawyer or not)
on whether this would actually provide any protection.


i am not a lawyer either. i started MAPS, the first anti-spam company,
in 1997 or so, and became the most-sued person i know. i may be the
most-sued person you'll ever know. and i've been sued by some experts. so:

I had this idea of making Terms & Conditions that you would send to a
vendor prior to disclosing the vulnerabilities. The vendor (or someone
responsible) would have to accept these terms by replying to your
email and only then you would reveal the vulnerabilities. If they
didn't accept, you would release them to the public (full disclosure)
immediately.


this is concerning, for two reasons.

first, for enforceability, a contract requires exchange of
consideration. what's yours? i can see that the vendor is receiving
something of value (the disclosure) but it's not clear what you're
getting in return beyond the opportunity to have your good deeds go
unpunished. absence of a negative does not amount to a positive in the
eyes of the law.

you're also treating this as a one-off. i suggest you make it
continuous, and make continuity be a value they are trading for. so,
make this a relatively standard bilateral NDA stating the violation by
them will result in (a) cancellation of the NDA, (b) unwillingness by
you to enter into another NDA with them for three years, and (c) naming
and shaming them for who they are and what they did, over on slashdot.

it's generally good text other than these structural matters. you'll
want a real lawyer to look at it before you try to use it, and maybe
before you process my suggestion above. we have two non-practicing
lawyers in the computer security field, david dagon and anne mitchell.
let me know if you'd like an introduction to either.

vixie

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Responsible disclosure: terms and conditions Pedro Ribeiro (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
  - Re: Responsible disclosure: terms and conditions Daniel Wood (Jun 08)
  - Re: Responsible disclosure: terms and conditions Dave Warren (Jun 08)
    - Re: Responsible disclosure: terms and conditions Daniel Wood (Jun 09)
  - Message not available
    - Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
  - Re: Responsible disclosure: terms and conditions coderman (Jun 09)
    - Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Message not available
  - Re: Responsible disclosure: terms and conditions Pedro Ribeiro (Jun 08)
- <Possible follow-ups>
- Re: Responsible disclosure: terms and conditions codeinject.org (Jun 08)
  - Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
    - Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)

(Thread continues...)