Full Disclosure mailing list archives

Re: Legality of Open Source Tools

From: coderman <coderman () gmail com>
Date: Sun, 6 Apr 2014 02:28:23 -0700

On Fri, Apr 4, 2014 at 3:58 AM, Bryan Bickford <bryan () unhwildhats com> wrote:

...
I am a security researcher who is working on a project in my free time,
without going into details - the project will end with a powerful tool
being publicly released.


yes, but released under what license? :)

Obviously most cyber security tools have the potential for abuse. What sort
of legal hurdles (if any) do you need to overcome to protect yourself when
releasing software along the lines of metasploit?


you'll be asked to sell your time consulting on said tool.  so get
your corporate finance and tax legal hurdles settled first of all.

next, during some consignment work, you'll find a particularly
awesome/nasty/impressive/scary sploit and want to present or sell it.
you should expect arguments over your time as hourly consulting
service vs. your time as work for hire under third party ownership,
and so insulate your contracts with customers as another legal hurdle
with these considerations in mind.

last but not least, non disclosure agreements and trade secrets will
come into play under some engagements. be sure you legally cover your
own ass in any such terms you agree to.

assuming your tool of pwnage continues to be increasingly successful,
expect all the entrepreneurial legal concerns to show their ugly
heads, and allocate legal budget and expertise accordingly.


... hopefully you don't have to deal with an overly aggressive
attorney pushing absurd criminal charges for open source code repos on
github[0].  that's a whole other kind of legal ass covering of which i
am not even sure how to recommend you position yourself in your
multiple jurisdictions of concern....  good luck!



0. opensource scada scanner == felony hacker charges [citation needed]
  some scada scanning tool released as open source led to some total
insanity.  too lazy to cite sources this moment, but plenty of other
absurdity abounds.



last consideration: is limited disclosure the better course?  save it
for DEF CON (the parties not the conference) before you burn it if
really fun for all ages
 :P

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Re: Legality of Open Source Tools, (continued)
- - - Re: Legality of Open Source Tools Henri Salo (Apr 06)
    - Re: Legality of Open Source Tools Jeffrey Walton (Apr 06)
    - Re: Legality of Open Source Tools Toni Korpela (Apr 06)
    - Re: Legality of Open Source Tools Toni Korpela (Apr 06)
    - Re: Legality of Open Source Tools Daniel Wood (Apr 07)
    - Re: Legality of Open Source Tools Not EcksKaySeeDee (Apr 04)
    - Re: Legality of Open Source Tools Brunner, Mark (Apr 04)
    - Message not available
    - Re: Legality of Open Source Tools John Young (Apr 05)
    - Re: Legality of Open Source Tools coderman (Apr 06)
  - Re: Legality of Open Source Tools Sullo (Apr 04)
- Re: Legality of Open Source Tools coderman (Apr 06)