Re: Complicated Disclosure Scenario

From: Nick Lange (nicklange@wi.rr.com)
Date: 01/17/02 

From: "Nick Lange" <nicklange@wi.rr.com>
To: "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE>
Date: Thu, 17 Jan 2002 14:34:51 -0600

One other point here[once again my opinion],
    While many licenses forbid reverse engineering etc, if you're license
becomes void for researching security vulnerabilities or disclosing them to
the public then you need to point out to whomever makes budgeting decisions
that this is not the product to use. Simply because their uncooperative
attitude will end up costing *your* business money cleaning up a hacker
attack if you follow the license! And for a business, that's all that
matters[imho]. (I would seriously have you or your boss compare an IT
cleanup of your servers after compromise to the cost of integrating a new
product into your production environment over the long term), the product
may be good but if you and other businesses are going to be screwed over by
an environment of immaturity, is it worth it?
once again my two cents,
nick
----- Original Message -----
From: "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE>
To: "Josha Bronson" <dmuz@slartibartfast.angrypacket.com>
Cc: <vuln-dev@securityfocus.com>
Sent: Thursday, January 17, 2002 05:04
Subject: Re: Complicated Disclosure Scenario

> Josha Bronson <dmuz@slartibartfast.angrypacket.com> writes:
>
> > So, what would you do?
>
> Write to the vendor and announce the publication of the preliminary
> results within, say, two weeks, and rely on Full Disclosure forcing
> the vendor to provide a fix. (However, there might be constraints in
> your license contracts which could make this illegal.)
>
> I'm surprised that this aspect of Full Disclosure is still necessary
> today.
>
> --
> Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
> University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898

Relevant Pages

  • Obama legalizes USE OF GENETIC INFORMATION
    ... OCCUPATIONS CODE CHAPTER 58. ... political subdivision that issues an occupational license. ... certificate, registration, permit, or other form of authorization ... SUBCHAPTER C. DISCLOSURE OF GENETIC INFORMATION; CONFIDENTIALITY; ...
    (alt.gathering.rainbow)
  • Re: problems with licensing
    ... > run the license script, ... > US Government Users Restricted Rights - Use, duplication or disclosure ... > restricted by GSA ADP Schedule Contract with IBM Corp. ...
    (comp.unix.aix)
  • Re: problems with licensing
    ... > US Government Users Restricted Rights - Use, duplication or disclosure ... > restricted by GSA ADP Schedule Contract with IBM Corp. ... Try to configure your License Server to also be a Central registry Server. ...
    (comp.unix.aix)
  • Re: Yvert online?
    ... Full disclosure: I use cracked versions of Scott, ... I consider them my license. ... enough of my moralizing now. ... Trade?: http://www.mcgees.org/stamp-offers/ ...
    (rec.collecting.stamps.discuss)
  • Re: ANNOUNCE: EIGHT BALL DELUXE Reproduction Plastics LICENSING QUESTION
    ... supplier business relationship with one or both WMS Gaming licensees. ... turmoil against our better judgement in working under TPF's license. ... might inadvertently support Wayne? ... being on the business side of things, and personalities are not ...
    (rec.games.pinball)