Re: Responsible disclosure: terms and conditions

[Eric Rand <eric.rand () brownhatsecurity com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This sounds like modified prisoners' dilemma to me:

Prisoner 1 (the researcher):
Cooperate: give information to the company
Not-cooperate: deny information, release publicly

Prisoner 2 (the company):
Cooperate: don't sue the researcher
Not-cooperate: sue the researcher

With the result table of:

[cooperate][cooperate] - Company gets vuln info; researcher doesn't
get sued.
[cooperate][no-cooperate] - company gets vuln info; researcher gets sued
[not-cooperate][cooperate] - researcher discloses vuln publicly;
company sues
[not-cooperate][not-cooperate] - researcher discloses vuln publicly;
company sues

With [nc][c] being a case where the researcher doesn't bother making
themselves known to the company, for this to hold true.

As I recall, the optimal strategy for that situation is to cooperate
until the other party doesn't, and then no longer cooperate at all.

I think that in a situation where the researching community -as a
whole- acted as the 'researcher' in this situation, i.e. if a company
sues a researcher, then no researcher discloses vulns about that
company's products to the company before public release, that would
most closely model the win/loss strategy and make it very easy for all
parties to understand the situation.

And since, despite the fact that humans are not rational, we keep on
trying to assume people act in a rational and informed manner,
rational actors would behave according to the optimal strategy--to
cooperate until they get betrayed.

That's my two cents on the matter, anyway.

- --ER/@munin

On 06/08/2014 11:23 AM, Paul Vixie wrote:
> codeinject.org wrote:
> > any lawyer will dismiss this in court stating it was signed under
> > duress.
>
> in my proposed model, the only recourse a researcher has against
> vendor nonperformance is future silence. in your scenario above the
> lawyer in question would be trying to argue that future silence was
> in some way inappropriate.
>
> > Also it sounds an awful lot like blackmail.
>
> "i wish to enter into a no-fee relationship with you wherein you
> will receive certain valuable information at no monetary cost. the
> only requirement you would have to meet in order to receive this
> and future potentially valuable information is absolute fidelity to
> this nondisclosure agreement."
>
> doesn't sound like blackmail to me, not even a little bit. and i've
> been sued by experts. and it's what i wish i'd tried instead of
> doing the BIND Forum (criticized as a form of "pay for play"), back
> when CMU-CERT's lossy predisclosure chain screwed me for what i
> swore would be the last fscking time.
>
> > I think you should either make the gamble, or let a ZDI, Exodus,
> > VUPEN etc do the disclosure on your behave.
> >
> > or just go full diclosure on them =)
>
> those are all lose-lose propositions. i say shoot for a win-win and
> let lose-lose be the recourse ("fallback position").
>
> vixie
>
>
> _______________________________________________ Sent through the
> Full Disclosure mailing list 
> http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
> http://seclists.org/fulldisclosure/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTlLLJAAoJELegdynGqmmacIQP/1RNyws00MJ0XKNKekdk8dx6
+FPmZPgR7nImH00oYJqTu+fyWq1PuE8N7e/jEGzge6AydEExkShasTndckNBVewV
N325VZmgouXkVPx1vQzlOLoApYdTMKTAACDyQSuD3Tg31wbRPgK3/EMtdwNNHqkt
TX1H0y0axKojCVfl3PYrMDFvb1YWvFpdlz/CwEgRmsH1u7H1mKyQ7Jl3eYbIk/na
3M9t1+mc19boKS4rhLj5AmfR350/BRjKHG4fc7QUtHqfgl7Rw18XarB1croTFKeI
owfLx7BR+zi0c6mRx0hLfEo3wcTzJS1ZICxUYIhyP3bMtENLjxE77kTrpkTUxMXN
QgvYNiMyRuphJ1sgzO6u6KAxaEUK/TrZNccZUMzsyympnPIDYQvd+/KSQK4qoSsw
2BP2OKk4mPp10xNeFE1yih1ZUk7QdvtE8EmJKUTmGvXtpNIocsPYB1vjZ1sKjYeM
aTSQiwJHJS/WoBPp8yMzw4CE7269SuM2R5BzFE33CuovLH3PbAovWovbl87IXkdr
SKfOA/pLDJ5LJLg6tD/Bkp1b6Lyh4omxrFzc+Oj13m4TGoARPYkLNc8BZ7U/p9S8
vjSzLejXRupPL0wJwOW2VX2N9tfCpI3OShwrJG5LZ7Hc8S0OTtAr1u+eL8Xt4L9/
hsu8tKSDy3RKZi+pVbOX
=eaI7
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/