Security Basics mailing list archives
Re: Non Disclosure Agreements
From: Mark Reardon <riscorp () mindspring com>
Date: Mon, 12 May 2003 08:54:00 -0400 (GMT)
Every contractor and employee has this issue. When you do the evaluation, these companies are paying for it and providing you with permission to do the testing required to produce it. It is up to them to then make a business decision on the mitigation steps required. They certainly don't want you to make the possibility of discovery 100% by publishing the issues. If they are worth doing business with, then trust them to take your input and put it into their business processes for improvements on the site. Is it 100% satisfying? No. But if you don't do it then they won't know what to improve anyway, and someone with less morals will find the problems for them. They are willing to spend money to find the issues. Trust them to take the appropriate steps once they are discovered. Also, offer to do follow-up work testing the mitigation steps and helping with their implementation. Mark -------Original Message------- From: Tim Heagarty <Tim () TheaSecure Com> Sent: 05/08/03 01:09 PM To: security-basics () securityfocus com Subject: Non Disclosure Agreements
I have a potential client that wishes me to go to their customer's site and
perform various normal analysis activities on a system that the client has written and installed at the customer's site. My client wants me to produce a NDA with them that would contain the following points. I can only disclose vulns in the system to the customer and to my client. The customer cannot disclose vulns that I find in their system to anyone but the vendor/my client. These are large public systems that are used by thousands of end users and contain great potential for customer harm if the system has a problem that is not immediately repaired. A small vuln would allow thousands of private records to be exposed. I feel like my hands would be tied. If I found something that I felt was major and the vendor did not then I could not expose it to bugtraq or anywhere else to protect the safety and privacy of the end user. Not even the vendor's customer could expose the holes in their system without the vendor's approval. Have you folks run across this before? What did you do? Any ideas? Tim Heagarty CISSP, MCSE <a target=_blank href="http://www.TheaSecure.com/">http://www.TheaSecure.com/</a> "There are only 10 kinds of people in the world, those that understand binary, and those that don't." --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto <a target=_blank href="http://www.securityfocus.com/FastTrain-security-basics">http://www.securityfocus.com/FastTrain-security-basics</a> ----------------------------------------------------------------------------
---- Mark Reardon Reardon Information Security Corporation 156 Blue Sky Drive Marietta, GA 30068 (770) 565-0544 (404) 444-0041 cell --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- Re: Non Disclosure Agreements JohnNicholson (May 09)
- <Possible follow-ups>
- RE: Non Disclosure Agreements Allan Schon (May 12)
- Re: Non Disclosure Agreements Mark Reardon (May 12)
- RE: Non Disclosure Agreements Shanafelt, Gabe (May 13)