Re: Responsible disclosure: terms and conditions

[Pedro Ribeiro <pedrib () gmail com>]

On 8 June 2014 09:16, Owen Tuz <owentuz () gmail com> wrote:
> I am also not a lawyer, but think you would have serious problems getting
> this to hold up in any court.
>
> What you're describing is equivalent to the email disclaimers used by many
> businesses - "If you have received this email in error, please delete it
> without reading its contents" and so on. Such contracts are by their nature
> implicit (they assume an agreement) and it is thus usually enough for the
> recipient to explicitly state that they do not agree.
>
> That is, it becomes harder to assume an agreement in the face of an email
> saying "I do not agree"!
>
> Despite this,  such disclaimers aren't totally legally bankrupt: for
> example, many businesses do include a confidentiality clause as above
> because, even if not binding in itself, it is useful to be able to
> demonstrate that the recipient of a message knew its contents were at least
> *supposed* to be confidential.
>
> However, I don't believe you could enforce a contract of the kind you are
> suggesting.
>
> There are bigger problems with your model, though. Firstly, if the vendor
> doesn't reply, you don't even have that implicit agreement - so the email
> provides no protection for you if/when you decide to publicly release
> details of the vulnerability in question.

I understand your criticism and I am aware that those type of emails
provide little to no protection.
However I think the analogy is incorrect.

These terms and conditions would have to be part of a very specific
process that would have to be followed by the researcher. The process
would have to be like this:

1) You contact the vendor saying that you have found a vulnerability
in their product and wish to communicate with them, asking for an
email back.

2) An individual in the company emails you back.

3) You send the terms and conditions, stating that the individual will
be accepting it on behalf of the company (possible weak point here).


At this point it branches out in two possible paths. First path:

4a) The individual replies back saying they agree to the terms and conditions

5a) You send the details, ask for a release date, etc.
...
6a) Fix gets released and you release the advisory.

Further branching in two paths:

7aa) The company sues you.
OR
7ab) The company does not sue you.


The second path after 3) would be:

4b) The individual replies back saying they do NOT agree to the terms
and conditions.

5b) You inform them that you will not reveal to them the details of
the vulnerability (or alternatively do not even reply).

6b) You release the details of the vulnerability anonymously.


So as long as you follow the script above, there are 3 possible outcomes.
- In 7ab) you are not sued.

- In 6b) you cannot be sued. You have not provided any details of the
vulnerability to the company (the email in 1) cannot provide any
specific details in any way). It is practically impossible for the
company to sue you unless they have NSA like capabilities or power,
and you send the details to full-disclosure or whatever using tor.

- In 7aa) you get sued. Again I'm not a lawyer, but I do believe the
agreement would afford you some sort of legal protection here. The
fact that an individual which is part of the company accepted the
agreement plus the fact that the company collaborated with you with
regards to dates, coordinated disclosure, etc suggests that they have
implicitly followed the agreement.
The only problem I can see is if the company imply that the individual
which accepted the agreement did not have authority to do so.


> Secondly, if a vendor truly believes (correctly or not, let's not get into
> that) that you have done something illegal then they will take you to court
> anyway. Simply put, you can't write a contract that lets you break the law.

That is true, but the fact that the vendor believes you will be
breaking the law does not mean you are indeed breaking it. The DMCA
protection in the US should be sufficient provided they cannot invoke
the "national security" clause.

But I do see a bigger problem with this though. By forcing a company
to accept this legal agreement, you might draw unwanted attention to
you from what would otherwise be a friendly company if you had
followed a normal disclosure procedure. Things can get ugly once the
legal department gets involved, and lawyers have a way to complicate
things...

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/