Full Disclosure mailing list archives
Responsible disclosure: terms and conditions
From: Pedro Ribeiro <pedrib () gmail com>
Date: Fri, 6 Jun 2014 08:23:05 +0100
As you all know, responsible disclosure can be hard. You want to do the right thing, give the vendor some time to fix the issue, protect its customers, etc; but the first thing the vendor does is to threaten to sue / arrest / beat up / kill you. Fortunately this is happening less and less, but there are still plenty of examples as it can be seen in http://attrition.org/errata/legal_threats/. I had this idea of making Terms & Conditions that you would send to a vendor prior to disclosing the vulnerabilities. The vendor (or someone responsible) would have to accept these terms by replying to your email and only then you would reveal the vulnerabilities. If they didn't accept, you would release them to the public (full disclosure) immediately. I am not a lawyer, so I would like everyone's opinion (lawyer or not) on whether this would actually provide any protection. ==== snip ==== TERMS AND CONDITIONS v0.1 ========================= The "RESEARCH" are the findings, vulnerabilities, proofs of concept and any information provided by the researcher. The "RESEARCHER" is <Your name, title, company and / or email here>, unless otherwise noted. "YOU" refers to the person or institution that produces, distributes or commercializes the product. "PRODUCT" is the application, hardware or software that was analysed by the researcher. The research provided to you is the sole intellectual property of the researcher. It is shared with you in accordance with the terms set below: 1- You will not attempt to threaten or prosecute the researcher in any jurisdiction. 2- No guarantees are made with regards to the accuracy of the research. 3- The research is result of many hours of analysis, testing, inspection and / or reverse engineering of your product, as allowed by the "Security Exception" of the Digital Millenium Copyright Act and the equivalent European Union law. 4- The researcher cannot and will not give you advice, test or provide any feedback regarding a possible fix unless contracted to do so by you. 5- This research is intended to be released to the public in order to enhance the security of your product and allow your customers to protect themselves. The researcher will wait for a reasonable amount of time before releasing this information in order to allow you to provide a fixed version of your product. Normally this will be 30 days, but exceptions might be made solely to the discretion of the researcher. 6- The fixed version of your product will have to be provided by you to your previous and current customers completely free of any charge. 7- It is appreciated if you mention the researcher's name when providing the fixed version of your product. Monetary rewards are highly appreciated but not expected in any way. ==== snip ==== Regards, Pedro _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Responsible disclosure: terms and conditions Pedro Ribeiro (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions Daniel Wood (Jun 08)
- Re: Responsible disclosure: terms and conditions Dave Warren (Jun 08)
- Re: Responsible disclosure: terms and conditions Daniel Wood (Jun 09)
- Message not available
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions coderman (Jun 09)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Message not available
- Re: Responsible disclosure: terms and conditions Pedro Ribeiro (Jun 08)
- <Possible follow-ups>
- Re: Responsible disclosure: terms and conditions codeinject.org (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)