Re: Responsible disclosure: terms and conditions

[Paul Vixie <paul () redbarn org>]

codeinject.org wrote:
> any lawyer will dismiss this in court stating it was signed under duress.

in my proposed model, the only recourse a researcher has against vendor
nonperformance is future silence. in your scenario above the lawyer in
question would be trying to argue that future silence was in some way
inappropriate.

> Also it sounds an awful lot like blackmail.

"i wish to enter into a no-fee relationship with you wherein you will
receive certain valuable information at no monetary cost. the only
requirement you would have to meet in order to receive this and future
potentially valuable information is absolute fidelity to this
nondisclosure agreement."

doesn't sound like blackmail to me, not even a little bit. and i've been
sued by experts. and it's what i wish i'd tried instead of doing the
BIND Forum (criticized as a form of "pay for play"), back when
CMU-CERT's lossy predisclosure chain screwed me for what i swore would
be the last fscking time.

> I think you should either make the gamble, or let a ZDI, Exodus, VUPEN etc
> do the disclosure on your behave.
>
> or just go full diclosure on them =)

those are all lose-lose propositions. i say shoot for a win-win and let
lose-lose be the recourse ("fallback position").

vixie


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/