Security Basics mailing list archives
Re: Non Disclosure Agreements
From: JohnNicholson () aol com
Date: Fri, 09 May 2003 14:56:42 -0400
Tim - You're being hired by the vendor to look for vulnerabilities, so, to me, that's at least one point in the vendor's favor. As I understand it, your contract would say that you are only allowed to inform the vendor and the customer of any vulnerabilities that you find. The agreement between the vendor and the customer is a separate matter (i.e., the customer is not a party to your agreement with the vendor). If the customer elects (or has already elected) to sign away its rights to disclose vulnerability information, then that is the customer's issue, because the customer has given away some of its leverage over the vendor. Ultimately, the risk of exposure is not yours to bear. While I think it's noble of you to want to expose the vulnerabilities if the vendor refuses to fix them, it's not really your problem. Depending on what type of information might be exposed, the customer will also have tremendous incentive to get any vulnerabilities fixed. John --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- Re: Non Disclosure Agreements JohnNicholson (May 09)
- <Possible follow-ups>
- RE: Non Disclosure Agreements Allan Schon (May 12)
- Re: Non Disclosure Agreements Mark Reardon (May 12)
- RE: Non Disclosure Agreements Shanafelt, Gabe (May 13)