Re: Non Disclosure Agreements

[JohnNicholson () aol com]

Tim -

You're being hired by the vendor to look for vulnerabilities, so, to me, that's at least one point in the vendor's 
favor. As I understand it, your contract would say that you are only allowed to inform the vendor and the customer of 
any vulnerabilities that you find. The agreement between the vendor and the customer is a separate matter (i.e., the 
customer is not a party to your agreement with the vendor). If the customer elects (or has already elected) to sign 
away its rights to disclose vulnerability information, then that is the customer's issue, because the customer has 
given away some of its leverage over the vendor.

Ultimately, the risk of exposure is not yours to bear. While I think it's noble of you to want to expose the 
vulnerabilities if the vendor refuses to fix them, it's not really your problem. Depending on what type of information 
might be exposed, the customer will also have tremendous incentive to get any vulnerabilities fixed.

John

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------