Bugtraq mailing list archives
Re: It takes two to tango
From: Chris Paget <ivegotta () tombom co uk>
Date: Wed, 31 Jul 2002 16:53:26 +0100
On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote:
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]Subject: Re: It takes two to tango Does V still have the right to sue R?Absolutely not. They were given more than fair notice.
According to the CNet article: In HP's case, SnoSoft says that information made public last year should have given the computer maker enough time to fix the problem. and HP has known about the Tru64 vulnerability "for some time," SnoSoft's Finisterre said, but never fixed the problem. An HP spokesman said he did not know if a patch had been released. Last year? if >7 months isn't enough time to count as "fair notice" then what is? This was a new exploit for an old hole, demonstrating that fair notice is irrelevant if the vendor doesn't like what's going on. That's what's frightening me - even if I follow widely recognised industry best practices when releasing an advisory, I can still be held personally liable if the vendor decides to invoke that magical 4-letter acronym - DMCA. Yes, I'm in the UK, and could probably argue that the DMCA doesn't apply to me. But the EUCD is virtually identical, and would apply in exactly the same way as the DMCA should the vendor choose to wield it. Chris -- Chris Paget ivegotta () tombom co uk
If vendors are made liable for security holes, and those vendors have the right to sue the people who find advisories and / or release exploits, then we'll be seeing security researchers on the wrong end of multi-million dollar lawsuits.Only if the law fails to recognize the notice given by the discoverer to the vendor. Perhaps security researchers should begin using registered mail to notify vendors. It probably also means that those who feel vendors do not deserve fair notice will (have to / continue to) resort to posting exploits anonymously.IMHO, vendors SHOULD be responsible for security holes. However, before that can be done there needs to be some kind of law put in place to protect the researchers who find the holes.IANAL, but I would hope no new laws are necessary -- the recognition of fair notice should be sufficient.
Current thread:
- Re: It takes two to tango Riad S. Wahby (Jul 31)
- Re: It takes two to tango Derek D. Martin (Jul 31)
- it's all about timing Florin Andrei (Jul 31)
- Re: [Full-Disclosure] it's all about timing John Scimone (Aug 01)
- <Possible follow-ups>
- RE: It takes two to tango Scott, Richard (Jul 31)
- Re: It takes two to tango Greg A. Woods (Jul 31)
- Re: It takes two to tango Chris Paget (Jul 31)
- Re: It takes two to tango Tom Perrine (Jul 31)
- Re: It takes two to tango Branson Matheson (Jul 31)
- Re: It takes two to tango Kyle R. Hofmann (Jul 31)
- RE: It takes two to tango Mark L. Jackson (Jul 31)
- RE: It takes two to tango John Howie (Jul 31)
- Re: It takes two to tango Randy Hinders (Jul 31)
- Re: It takes two to tango Ltlw0lf (Aug 01)