Responsible disclosure: terms and conditions

[Pedro Ribeiro <pedrib () gmail com>]

As you all know, responsible disclosure can be hard.
You want to do the right thing, give the vendor some time to fix the
issue, protect its customers, etc; but the first thing the vendor does
is to threaten to sue / arrest / beat up / kill you.

Fortunately this is happening less and less, but there are still
plenty of examples as it can be seen in
http://attrition.org/errata/legal_threats/.

I had this idea of making Terms & Conditions that you would send to a
vendor prior to disclosing the vulnerabilities. The vendor (or someone
responsible) would have to accept these terms by replying to your
email and only then you would reveal the vulnerabilities. If they
didn't accept, you would release them to the public (full disclosure)
immediately.

I am not a lawyer, so I would like everyone's opinion (lawyer or not)
on whether this would actually provide any protection.

==== snip ====

TERMS AND CONDITIONS v0.1
=========================

The "RESEARCH" are the findings, vulnerabilities, proofs of concept
and any information provided by the researcher.
The "RESEARCHER" is <Your name, title, company and / or email here>,
unless otherwise noted.
"YOU" refers to the person or institution that produces, distributes
or commercializes the product.
"PRODUCT" is the application, hardware or software that was analysed
by the researcher.

The research provided to you is the sole intellectual property of the
researcher. It is shared with you in accordance with the terms set
below:

1- You will not attempt to threaten or prosecute the researcher in any
jurisdiction.

2- No guarantees are made with regards to the accuracy of the research.

3- The research is result of many hours of analysis, testing,
inspection and / or reverse engineering of your product, as allowed by
the "Security Exception" of the Digital Millenium Copyright Act and
the equivalent European Union law.

4- The researcher cannot and will not give you advice, test or provide
any feedback regarding a possible fix unless contracted to do so by
you.

5- This research is intended to be released to the public in order to
enhance the security of your product and allow your customers to
protect themselves.
The researcher will wait for a reasonable amount of time before
releasing this information in order to allow you to provide a fixed
version of your product. Normally this will be 30 days, but exceptions
might be made solely to the discretion of the researcher.

6- The fixed version of your product will have to be provided by you
to your previous and current customers completely free of any charge.

7- It is appreciated if you mention the researcher's name when
providing the fixed version of your product.
Monetary rewards are highly appreciated but not expected in any way.

==== snip ====

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/