[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Responsible disclosure: terms and conditions

To: Dave Warren <davew@xxxxxxxxxxxx>
Subject: Re: [FD] Responsible disclosure: terms and conditions
From: Daniel Wood <daniel.wood@xxxxxxxxx>
Date: Sun, 8 Jun 2014 15:40:26 -0400

Should also point out that getting E&O insurance is a good idea. 

Daniel

> On Jun 8, 2014, at 1:34 PM, Dave Warren <davew@xxxxxxxxxxxx> wrote:
> 
>> On 2014-06-08 04:03, Paul Vixie wrote:
>> this is concerning, for two reasons.
>> 
>> first, for enforceability, a contract requires exchange of
>> consideration. what's yours? i can see that the vendor is receiving
>> something of value (the disclosure) but it's not clear what you're
>> getting in return beyond the opportunity to have your good deeds go
>> unpunished. absence of a negative does not amount to a positive in the
>> eyes of the law.
> 
> Indemnity is definitely consideration. I'm not sure that "1- You will not 
> attempt to threaten or prosecute the researcher in any jurisdiction." is 
> sufficient though, but something similar in appropriate legalese would 
> possibly do the trick.
> 
> There also needs to be an enforcement or penalty clause that is mutually 
> agreeable (and this is probably where most companies will start to wonder if 
> agreeing is worthwhile). A contact without an enforcement clause is mostly 
> useless since a violation will, at most, allow the opposing party to 
> disregard the contract. This works great in a "I will mow your lawn as needed 
> for $80/week" contract, in which case in the event of a breach, the other 
> party would stop complying with their terms.
> 
> In this case, the vendor has on ongoing obligation to not sue, whereas the 
> researcher has completed their portion as soon as they reveal the information 
> to the company (or as soon as they complete a defined responsible disclosure 
> period). If the company chooses to pursue legal action against the 
> researcher, the researcher has no remedy in the contract.
> 
> At a minimum, agreeing to limit damages in the event of any and all legal 
> actions resulting from researching and disclosing the vulnerability would be 
> a start.
> 
> Still, I like the idea, especially if it's something that a reasonable number 
> of researchers use.
> 
> -- 
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
> 
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Responsible disclosure: terms and conditions
  - From: Pedro Ribeiro
- Re: [FD] Responsible disclosure: terms and conditions
  - From: Paul Vixie
- Re: [FD] Responsible disclosure: terms and conditions
  - From: Dave Warren

Prev by Date: Re: [FD] Responsible disclosure: terms and conditions
Next by Date: [FD] [Tool] Responder v2.0.9
Previous by thread: Re: [FD] Responsible disclosure: terms and conditions
Next by thread: Re: [FD] Responsible disclosure: terms and conditions
Index(es):
- Date
- Thread