Full Disclosure mailing list archives
Re: Fwd: NDA & SOX?
From: Rob <spamproof () nospammail net>
Date: Sat, 12 Mar 2005 03:49:53 -0800
Jason Coombs wrote:
Christoph Gruber wrote: > If a manufactorer of software gets to knowledge of a certain weakness > (vulnerability), does he have to inform the public immediatly? > Is it even worse, if the manufactorer forces everyone, who has > knowledge about that thing, to sign NDAs?Let me take your question a little further... Suppose you are a "Director" of a public company, and you have knowledge of design flaws and vulnerabilities designed into a software product on purpose?The flaws harm investors, they harm the public, they harm information security in general. They are unethical. You inform the company that the flaws exist, and nothing is done about them. Instead, you're slowly but forcefully pushed out of the company.You've signed an NDA. What do you do? Regards, Jason Coombs jasonc () science org
You send a certified, anonymous regular US postal letter directed to: The Company in Question The Executive Audit Committee Attention SOX Section 301According to SOX the company is supposed to create special processes for handling any type of correspondence to the Audit Committee and to assure that only the audit committee members see the contents.
Be sure not to get your fingerprints on the paper or envelope and mail it from a small post office far from your normal post office. Use gpg (with a unique key specially created just for your correspondence to the audit committee) to sign the text [which should include the number from the certified mail label (pick this up from the post office prior to printing out the letter)] - this, combined with the canceled certified mail receipt will allow you to prove that you reported the situation if/when they try to implicate you. But if you were/are a director you should do it soon to protect yourself, now that you have made public that you have such information .
And I don't want to be rude, but *please* either put up or shut up about your fight with your former company. Please, either "fully disclose" whatever you are alluding to in the above or keep it private. To quote you: "Disclosure is something that good people do. Non-disclosure is something that bad people do."
I could be wrong but with this topic you seem to have sailed beyond the edge of the FD List Charter.
But then again, I am not a lawyer or moderator, so take it FWIW... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Fwd: NDA & SOX? Christoph Gruber (Mar 11)
- Re: Fwd: NDA & SOX? Jason Coombs (Mar 11)
- Re: Fwd: NDA & SOX? Rob (Mar 12)
- RE: Fwd: NDA & SOX? Aditya Deshmukh (Mar 12)
- Re: Fwd: NDA & SOX? Nancy Kramer (Mar 12)
- <Possible follow-ups>
- Re: Fwd: NDA & SOX? Jason Coombs (Mar 12)
- Re: Fwd: NDA & SOX? Jason Coombs (Mar 11)