[Full-Disclosure] Re: security related contract

[Eric Scher <ericscher@mac.com>]

==========================================================================
 ~ "One of our customers asked us for a machine that would
ensure their local network security. Our commercial representative came
and asked if I had a solution for them. {blah, blah, blah...}, asked what 
guarantees could I offer and if I had a sample contract for such services. 
Now my fellow posters, I ask for thy help. Could anyone help me with such
a contract? ~
===========================================================================

You may not be old enough to remember Western Union Telegrams, but on the back 
of the form, if you read the contract, they were basically agreeing to ATTEMPT 
to deliver your message, and nothing more. They could fail or deliver by slow 
turtle, and they still weren't responsible.
Keep that concept in mind. You want to write a simple contract, don't try to 
fill it with legalese that you barely understand, and don't PROMISE any 
results. As we all know, there really is no absolute protection from 0-Day 
exploits, other than they old "unplug and throw in the river" method that has 
certain practical problems. Lets not even go INTO the End Luser and all the 
problems that he/she can cause.
DON'T try to make it iron clad, because iron clad contracts can be a PITA. 
Trust me.
Just make a contract promising to TRY to keep his systems healthy and secure 
and in a GENERAL way how you intend to go about doing so. 
Do NOT promise that nothing can go wrong, because that's exactly what WILL 
happen if you have promised that it wont.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html