Security Basics mailing list archives
RE: Non Disclosure Agreements
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 12 May 2003 11:19:32 -0700
It seems to me that the work that they're hiring you for is not likely to produce discoveries of the form "program XXX is vulnerable to exploit by doing YYY" -- the sort of thing Bugtraq would be interested in -- but rather more "company AAA has currently deployed a version of XXX that still contains known vulnerability YYY". Publicizing such a discovery might, in itself, be construed as an attack on (or incitement to attack) company AAA. California has a new law requiring disclosure of actual compromises (not vulnerabilities), and other jurisdictions may follow suit. As long as the agreement makes it clear that you are not responsible for ensuring compliance with such requirements, I don't think there's a problem. David Gillett
-----Original Message----- From: Tim Heagarty [mailto:Tim () TheaSecure Com] Sent: May 8, 2003 10:09 To: security-basics () securityfocus com Subject: Non Disclosure Agreements I have a potential client that wishes me to go to their customer's site and perform various normal analysis activities on a system that the client has written and installed at the customer's site. My client wants me to produce a NDA with them that would contain the following points. I can only disclose vulns in the system to the customer and to my client. The customer cannot disclose vulns that I find in their system to anyone but the vendor/my client. These are large public systems that are used by thousands of end users and contain great potential for customer harm if the system has a problem that is not immediately repaired. A small vuln would allow thousands of private records to be exposed. I feel like my hands would be tied. If I found something that I felt was major and the vendor did not then I could not expose it to bugtraq or anywhere else to protect the safety and privacy of the end user. Not even the vendor's customer could expose the holes in their system without the vendor's approval. Have you folks run across this before? What did you do? Any ideas? Tim Heagarty CISSP, MCSE http://www.TheaSecure.com/ "There are only 10 kinds of people in the world, those that understand binary, and those that don't." -------------------------------------------------------------- ------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- Malware test sites kent1 (May 02)
- Re: Malware test sites Barry Irwin (May 05)
- <Possible follow-ups>
- Re: Malware test sites erik TheRed (May 06)
- RE: Malware test sites Seth Tregenna (May 06)
- RE: Malware test sites Rapaille Max (May 07)
- RE: Malware test sites z33k666 (May 07)
- Non Disclosure Agreements Tim Heagarty (May 09)
- Re: Non Disclosure Agreements Johan Denoyer (May 09)
- Re: Non Disclosure Agreements David J. Bianco (May 09)
- RE: Non Disclosure Agreements David Gillett (May 13)
- RE: Malware test sites z33k666 (May 07)