Re: [VulnWatch] Details of Sybase ASE bugs withheld

From: Simple Nomad (
Date: 03/23/05

  • Next message: Peter J. Holzer: "Re: New Whitepaper: Anti Brute Force Resource Metering"
    Date: Wed, 23 Mar 2005 09:03:21 -0600

    On Tuesday 22 March 2005 14:53, Marchand, Tom wrote:
    > And what happens when the vendor won't indemnify the researchers? No more
    > security bulletins? Wouldn't the vendors love that. Or would security
    > researchers become outlaws?

    It gets worse if you consider that the researcher may be researching a COTS
    product on behalf of a client who wants the software evaluated before it is
    implemented/purchased. Now where does the EULA lie? Company X bought the
    software, but pays me to evaluate it in a cubicle on Company X's property.
    Does the EULA apply to me? What if Company X already installed it on a
    computer, and *they* clicked "I Agree" during the license question and I am
    just there to rip things apart bit by bit?

    This is why EULAs don't work in this context.

    Additionally, myself and/or NMRC has been threatened with legal action from
    several companies or have done "legalish" things to try to scare us ("please
    GPG sign NMRC's disclosure policy with *your personal* GPG key and email it
    to us before releasing your advisory we don't want published"). My experience
    through my employer BindView also leads me to believe that given the chance
    any and all vendors will do anything to prevent public disclosure of bugs.

    IMO, several large vendors are waiting for one of the smaller companies to
    risk the bad publicity of going after a security researcher (criminal, civil,
    or both) so a precedence has been set. Assuming the courts decide in favor of
    the company instead of the researcher, security research as we know it will
    end as all the vendors come after us like biblical locust swarms, and we will
    go back underground, old school style.

    # Simple Nomad  --                #
    # C1B1 E749 25DF 867C 36D4  1E14 247A A4BD 6838 F11D #
    #                     #

  • Next message: Peter J. Holzer: "Re: New Whitepaper: Anti Brute Force Resource Metering"

    Relevant Pages