Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: It takes two to tango

From: woods () weird com (Greg A. Woods)
Date: Wed, 31 Jul 2002 11:15:27 -0400 (EDT)
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]

Subject: Re: It takes two to tango

Does V still have the right to sue R?


Absolutely not.  They were given more than fair notice.


 If vendors are made liable for
security holes, and those vendors have the right to sue the people who
find advisories and / or release exploits, then we'll be seeing
security researchers on the wrong end of multi-million dollar
lawsuits.


Only if the law fails to recognize the notice given by the discoverer to
the vendor.  Perhaps security researchers should begin using registered
mail to notify vendors.

It probably also means that those who feel vendors do not deserve fair
notice will (have to / continue to) resort to posting exploits anonymously.


IMHO, vendors SHOULD be responsible for security holes.  However,
before that can be done there needs to be some kind of law put in
place to protect the researchers who find the holes.


IANAL, but I would hope no new laws are necessary -- the recognition of
fair notice should be sufficient.

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <g.a.woods () ieee org>;           <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>
Previous By Date Next
Previous By Thread Next

Current thread: