Re: [FD] Responsible disclosure: terms and conditions
On Sun, Jun 8, 2014 at 4:03 AM, Paul Vixie p...@redbarn.org wrote: ... i am not a lawyer either. i started MAPS, the first anti-spam company, in 1997 or so, and became the most-sued person i know. i may be the most-sued person you'll ever know. you have had interesting experiences! how many of these lawsuits have been dropped before heading to trial? (numbers or percentages?) how many legal motions went back and forth before trial in various motions or other tactics? how many plaintiffs were multiple offenders, or behind multiple legal filings against you in multiple venues? how any of these lawsuits encountered procedural or judicial complications by nature of being technical in nature? (and if you're answered these elsewhere please forgive and point in the right direction :) best regards, ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Should also point out that getting EO insurance is a good idea. Daniel On Jun 8, 2014, at 1:34 PM, Dave Warren da...@hireahit.com wrote: On 2014-06-08 04:03, Paul Vixie wrote: this is concerning, for two reasons. first, for enforceability, a contract requires exchange of consideration. what's yours? i can see that the vendor is receiving something of value (the disclosure) but it's not clear what you're getting in return beyond the opportunity to have your good deeds go unpunished. absence of a negative does not amount to a positive in the eyes of the law. Indemnity is definitely consideration. I'm not sure that 1- You will not attempt to threaten or prosecute the researcher in any jurisdiction. is sufficient though, but something similar in appropriate legalese would possibly do the trick. There also needs to be an enforcement or penalty clause that is mutually agreeable (and this is probably where most companies will start to wonder if agreeing is worthwhile). A contact without an enforcement clause is mostly useless since a violation will, at most, allow the opposing party to disregard the contract. This works great in a I will mow your lawn as needed for $80/week contract, in which case in the event of a breach, the other party would stop complying with their terms. In this case, the vendor has on ongoing obligation to not sue, whereas the researcher has completed their portion as soon as they reveal the information to the company (or as soon as they complete a defined responsible disclosure period). If the company chooses to pursue legal action against the researcher, the researcher has no remedy in the contract. At a minimum, agreeing to limit damages in the event of any and all legal actions resulting from researching and disclosing the vulnerability would be a start. Still, I like the idea, especially if it's something that a reasonable number of researchers use. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Keep in mind you can always be sued. No matter what 'legal' document you may have. I'm the third down on that attrition list. This brings to mind this recent blog from John Strand: http://pen-testing.sans.org/blog/pen-testing/2014/06/04/five-things-every-pen-tester-should-know-about-working-with-lawyers Not specifically regarding disclosure but worth the read. Daniel On Jun 8, 2014, at 7:03 AM, Paul Vixie p...@redbarn.org wrote: Pedro Ribeiro wrote: ... I am not a lawyer, so I would like everyone's opinion (lawyer or not) on whether this would actually provide any protection. i am not a lawyer either. i started MAPS, the first anti-spam company, in 1997 or so, and became the most-sued person i know. i may be the most-sued person you'll ever know. and i've been sued by some experts. so: I had this idea of making Terms Conditions that you would send to a vendor prior to disclosing the vulnerabilities. The vendor (or someone responsible) would have to accept these terms by replying to your email and only then you would reveal the vulnerabilities. If they didn't accept, you would release them to the public (full disclosure) immediately. this is concerning, for two reasons. first, for enforceability, a contract requires exchange of consideration. what's yours? i can see that the vendor is receiving something of value (the disclosure) but it's not clear what you're getting in return beyond the opportunity to have your good deeds go unpunished. absence of a negative does not amount to a positive in the eyes of the law. you're also treating this as a one-off. i suggest you make it continuous, and make continuity be a value they are trading for. so, make this a relatively standard bilateral NDA stating the violation by them will result in (a) cancellation of the NDA, (b) unwillingness by you to enter into another NDA with them for three years, and (c) naming and shaming them for who they are and what they did, over on slashdot. it's generally good text other than these structural matters. you'll want a real lawyer to look at it before you try to use it, and maybe before you process my suggestion above. we have two non-practicing lawyers in the computer security field, david dagon and anne mitchell. let me know if you'd like an introduction to either. vixie ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
On 2014-06-08 04:03, Paul Vixie wrote: this is concerning, for two reasons. first, for enforceability, a contract requires exchange of consideration. what's yours? i can see that the vendor is receiving something of value (the disclosure) but it's not clear what you're getting in return beyond the opportunity to have your good deeds go unpunished. absence of a negative does not amount to a positive in the eyes of the law. Indemnity is definitely consideration. I'm not sure that 1- You will not attempt to threaten or prosecute the researcher in any jurisdiction. is sufficient though, but something similar in appropriate legalese would possibly do the trick. There also needs to be an enforcement or penalty clause that is mutually agreeable (and this is probably where most companies will start to wonder if agreeing is worthwhile). A contact without an enforcement clause is mostly useless since a violation will, at most, allow the opposing party to disregard the contract. This works great in a I will mow your lawn as needed for $80/week contract, in which case in the event of a breach, the other party would stop complying with their terms. In this case, the vendor has on ongoing obligation to not sue, whereas the researcher has completed their portion as soon as they reveal the information to the company (or as soon as they complete a defined responsible disclosure period). If the company chooses to pursue legal action against the researcher, the researcher has no remedy in the contract. At a minimum, agreeing to limit damages in the event of any and all legal actions resulting from researching and disclosing the vulnerability would be a start. Still, I like the idea, especially if it's something that a reasonable number of researchers use. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
codeinject.org wrote: any lawyer will dismiss this in court stating it was signed under duress. in my proposed model, the only recourse a researcher has against vendor nonperformance is future silence. in your scenario above the lawyer in question would be trying to argue that future silence was in some way inappropriate. Also it sounds an awful lot like blackmail. i wish to enter into a no-fee relationship with you wherein you will receive certain valuable information at no monetary cost. the only requirement you would have to meet in order to receive this and future potentially valuable information is absolute fidelity to this nondisclosure agreement. doesn't sound like blackmail to me, not even a little bit. and i've been sued by experts. and it's what i wish i'd tried instead of doing the BIND Forum (criticized as a form of pay for play), back when CMU-CERT's lossy predisclosure chain screwed me for what i swore would be the last fscking time. I think you should either make the gamble, or let a ZDI, Exodus, VUPEN etc do the disclosure on your behave. or just go full diclosure on them =) those are all lose-lose propositions. i say shoot for a win-win and let lose-lose be the recourse (fallback position). vixie ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Paul Vixie wrote: ... i wish to enter into a no-fee relationship with you wherein you will receive certain valuable information at no monetary cost. the only requirement you would have to meet in order to receive this and future potentially valuable information is absolute fidelity to this nondisclosure agreement. i meant mutual nondisclosure and mutual hold harmless agreement, of course. vixie ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Pedro Ribeiro wrote: On 8 June 2014 12:03, Paul Vixie p...@redbarn.org wrote: it's generally good text other than these structural matters. you'll want a real lawyer to look at it before you try to use it, and maybe before you process my suggestion above. we have two non-practicing lawyers in the computer security field, david dagon and anne mitchell. let me know if you'd like an introduction to either. Appreciate the offer, but this is more a hobby so I can't really afford a lawyer. Or would they consult on this for free? i can't speakfor them in that regard. dagon loves the sound of his own voice nearly as much as i. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
coderman wrote: On Sun, Jun 8, 2014 at 4:03 AM, Paul Vixie p...@redbarn.org wrote: ... i am not a lawyer either. i started MAPS, the first anti-spam company, in 1997 or so, and became the most-sued person i know. i may be the most-sued person you'll ever know. you have had interesting experiences! how many of these lawsuits have been dropped before heading to trial? (numbers or percentages?) all of them. how many legal motions went back and forth before trial in various motions or other tactics? dozens each; hundreds in total. how many plaintiffs were multiple offenders, or behind multiple legal filings against you in multiple venues? zero. how any of these lawsuits encountered procedural or judicial complications by nature of being technical in nature? roughly half. (and if you're answered these elsewhere please forgive and point in the right direction :) i'm just trying to telegraph my lack of legal training by saying, everything i know about getting sued, i learned by getting sued. that's both strength and weakness. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/