Full Disclosure mailing list archives
Re: Responsible disclosure: terms and conditions
From: Pedro Ribeiro <pedrib () gmail com>
Date: Sun, 8 Jun 2014 10:45:06 +0100
On 8 June 2014 09:16, Owen Tuz <owentuz () gmail com> wrote:
I am also not a lawyer, but think you would have serious problems getting this to hold up in any court. What you're describing is equivalent to the email disclaimers used by many businesses - "If you have received this email in error, please delete it without reading its contents" and so on. Such contracts are by their nature implicit (they assume an agreement) and it is thus usually enough for the recipient to explicitly state that they do not agree. That is, it becomes harder to assume an agreement in the face of an email saying "I do not agree"! Despite this, such disclaimers aren't totally legally bankrupt: for example, many businesses do include a confidentiality clause as above because, even if not binding in itself, it is useful to be able to demonstrate that the recipient of a message knew its contents were at least *supposed* to be confidential. However, I don't believe you could enforce a contract of the kind you are suggesting. There are bigger problems with your model, though. Firstly, if the vendor doesn't reply, you don't even have that implicit agreement - so the email provides no protection for you if/when you decide to publicly release details of the vulnerability in question.
I understand your criticism and I am aware that those type of emails provide little to no protection. However I think the analogy is incorrect. These terms and conditions would have to be part of a very specific process that would have to be followed by the researcher. The process would have to be like this: 1) You contact the vendor saying that you have found a vulnerability in their product and wish to communicate with them, asking for an email back. 2) An individual in the company emails you back. 3) You send the terms and conditions, stating that the individual will be accepting it on behalf of the company (possible weak point here). At this point it branches out in two possible paths. First path: 4a) The individual replies back saying they agree to the terms and conditions 5a) You send the details, ask for a release date, etc. ... 6a) Fix gets released and you release the advisory. Further branching in two paths: 7aa) The company sues you. OR 7ab) The company does not sue you. The second path after 3) would be: 4b) The individual replies back saying they do NOT agree to the terms and conditions. 5b) You inform them that you will not reveal to them the details of the vulnerability (or alternatively do not even reply). 6b) You release the details of the vulnerability anonymously. So as long as you follow the script above, there are 3 possible outcomes. - In 7ab) you are not sued. - In 6b) you cannot be sued. You have not provided any details of the vulnerability to the company (the email in 1) cannot provide any specific details in any way). It is practically impossible for the company to sue you unless they have NSA like capabilities or power, and you send the details to full-disclosure or whatever using tor. - In 7aa) you get sued. Again I'm not a lawyer, but I do believe the agreement would afford you some sort of legal protection here. The fact that an individual which is part of the company accepted the agreement plus the fact that the company collaborated with you with regards to dates, coordinated disclosure, etc suggests that they have implicitly followed the agreement. The only problem I can see is if the company imply that the individual which accepted the agreement did not have authority to do so.
Secondly, if a vendor truly believes (correctly or not, let's not get into that) that you have done something illegal then they will take you to court anyway. Simply put, you can't write a contract that lets you break the law.
That is true, but the fact that the vendor believes you will be breaking the law does not mean you are indeed breaking it. The DMCA protection in the US should be sufficient provided they cannot invoke the "national security" clause. But I do see a bigger problem with this though. By forcing a company to accept this legal agreement, you might draw unwanted attention to you from what would otherwise be a friendly company if you had followed a normal disclosure procedure. Things can get ugly once the legal department gets involved, and lawyers have a way to complicate things... Regards, Pedro _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Responsible disclosure: terms and conditions Pedro Ribeiro (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions Daniel Wood (Jun 08)
- Re: Responsible disclosure: terms and conditions Dave Warren (Jun 08)
- Re: Responsible disclosure: terms and conditions Daniel Wood (Jun 09)
- Message not available
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions coderman (Jun 09)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Message not available
- Re: Responsible disclosure: terms and conditions Pedro Ribeiro (Jun 08)
- <Possible follow-ups>
- Re: Responsible disclosure: terms and conditions codeinject.org (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)
- Re: Responsible disclosure: terms and conditions Eric Rand (Jun 09)
- Re: Responsible disclosure: terms and conditions Paul Vixie (Jun 08)