Full Disclosure mailing list archives

Re: Epic Games threatens to sue security researchers

From: "Rick Updegrove \(security\)" <security () updegrove net>
Date: Tue, 11 Feb 2003 15:17:31 -0800

----- Original Message -----
From: "Georgi Guninski" <guninski () guninski com>
To: "Thor Larholm" <thor () pivx com>
Cc: <full-disclosure () lists netsys com>
Sent: Tuesday, February 11, 2003 1:54 PM
Subject: Re: [Full-disclosure] Epic Games threatens to sue security
researchers

I am not aware of such industry standards. The proposed RFC was not
approved by the IETF?


I have heard a lot of "loose talk" about lawyers getting involved in regards
to "responsible handling" of security advisories.  I would like to take this
opportunity to remind the money grubbing software vendors that such actions
will only further "piss off" the people who are only trying to help make the
Internet a "kinder, gentler place".  As a consumer of these products I ask
you to not piss them off any further.  Soon, nobody will inform you first.
I suspect that they will simply use stolen yahoo, hotmail and AOL accounts
to send advisories and exploit code directly to
full-disclosure () lists netsys com bypassing your arrogant and apathetic
security () bigsoftware com addresses altogether.

Speaking of "responsible handling" of security advisories:

I think 1 day (24 hours) before an "informative reply - what they plan to do
about it" from a vendor (a human being, not an autoresponder) is a
*responsibility* of the software vendor.

Then, a week (168 hours) before posting the information to
full-disclosure () lists netsys com is fair*.

    *Unless the vendor and author work something else out.

Moreover, PivX Solutions self-imposed 90 days (2,160 hours) was *extremely
generous*.

I have to tell you that I am a little puzzled, and somewhat miffed at PivX
for not telling us avid UT players sooner!  It really bothers me that for 90
days I have been "wide open" and Epic Games did absolutely nothing about it?

Hey Mark Rein, I want a refund and an apology!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Epic Games threatens to sue security researchers Thor Larholm (Feb 11)
- Re: Epic Games threatens to sue security researchers Georgi Guninski (Feb 11)
- Re: Epic Games threatens to sue security researchers Rick Updegrove (security) (Feb 11)
- <Possible follow-ups>
- Fw: Epic Games threatens to sue security researchers Thor Larholm (Feb 11)