Security Basics mailing list archives
Re: Non Disclosure Agreements
From: "David J. Bianco" <bianco () jlab org>
Date: 09 May 2003 15:08:30 -0400
On Thu, 2003-05-08 at 13:09, Tim Heagarty wrote:
I can only disclose vulns in the system to the customer and to my client. The customer cannot disclose vulns that I find in their system to anyone but the vendor/my client.
[...]
I feel like my hands would be tied. If I found something that I felt was major and the vendor did not then I could not expose it to bugtraq or anywhere else to protect the safety and privacy of the end user. Not even the vendor's customer could expose the holes in their system without the vendor's approval.
This is quite normal, and I think entirely appropriate. The vendor in this case is your client. They're paying you to do some work for them, so I think it would be a serious ethical breach for you to publish vulnerability information based upon work done on their dime. If you're allowed to disclose the vulnerability to the end client, then that should be good enough. If they agree it's a serious vulnerabilty, they can take it up with their vendor (your client) directly and there's no need for you to become involved. On the other hand, if they don't believe it's a serious vulnerability, and you can't convince them otherwise, that's their responsibility. As a consultant, all you can do is point the way. Others have to want to go there of their own free will. David -- David J. Bianco, GSEC GCUX <bianco () jlab org> Thomas Jefferson National Accelerator Facility GPG Fingerprint: 516A B80D AAB3 1617 A340 227A 723B BFBE B395 33BA The views expressed herein are solely those of the author and not those of SURA/Jefferson Lab or the US DOE. --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- Malware test sites kent1 (May 02)
- Re: Malware test sites Barry Irwin (May 05)
- <Possible follow-ups>
- Re: Malware test sites erik TheRed (May 06)
- RE: Malware test sites Seth Tregenna (May 06)
- RE: Malware test sites Rapaille Max (May 07)
- RE: Malware test sites z33k666 (May 07)
- Non Disclosure Agreements Tim Heagarty (May 09)
- Re: Non Disclosure Agreements Johan Denoyer (May 09)
- Re: Non Disclosure Agreements David J. Bianco (May 09)
- RE: Non Disclosure Agreements David Gillett (May 13)
- RE: Malware test sites z33k666 (May 07)