Vulnerability Development mailing list archives
Re: It takes two to tango
From: Markus Stumpf <maex-lists-security-vuln-dev () Space Net>
Date: Thu, 1 Aug 2002 20:50:30 +0200
On Thu, Aug 01, 2002 at 09:54:08AM -0400, Brooke, O'neil (EXP) wrote:
[SNIP]If the client was not notified, after the vulnerability was published (not the exploit), businesses affected by the security hole, could sue the vendor. The vendor may have chosen not to inform it's clients of the potential security problem, and thus did not do its due diligence.[SNIP]
Does notification really make any difference?
Vendors grant a usage license. They still *own* the software, so they
are responsible for any problems in the first place. (Just like a car
rental agency is responsible the first place if a client violates the law
with their car). No matter what their EULA says.
So why not sue the vendor for any problems and tell him to sue his licensee,
to get the money back from him.
IANAL, but shouldn't that work?
\Maex
Current thread:
- RE: It takes two to tango Ron DuFresne (Jul 31)
- <Possible follow-ups>
- RE: It takes two to tango Brooke, O'neil (EXP) (Aug 01)
- Re: It takes two to tango Markus Stumpf (Aug 02)
- Re: It takes two to tango Ash (Aug 02)
- Re: It takes two to tango Markus Stumpf (Aug 02)