<snip> > "Ferson also said that HP reserves > the right to sue SnoSoft and its members "for monies > and damages caused by the posting and any use of the > buffer overflow exploit." This raises a very interesting point. Bruce Schneier has stated publicly that he believes vendors should be held responsible for security flaws in their products (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I agree with this viewpoint, as, I am sure, do many people on this list. However, how would this affect the vulnerability disclosure process? 1) Researcher R finds a security hole in vendor V's product. 2) R attempts to contact V to reveal the bug. 3) V does not respond. 4) R attempts communication several times over the next 90 days, but never receives a response. 5) R releases an advisory. 6) Attacker A writes an exploit for the hole, and uses it to hack into company C. 7) C successfully sues V for several million dollars compensation. Does V still have the right to sue R? If vendors are made liable for security holes, and those vendors have the right to sue the people who find advisories and / or release exploits, then we'll be seeing security researchers on the wrong end of multi-million dollar lawsuits. I'm sure I'm not the only person who feels uncomfortable about this. Buffer overflow exploits are not difficult to write; it doesn't come down to whether there's exploit code or just an advisory. IMHO, vendors SHOULD be responsible for security holes. However, before that can be done there needs to be some kind of law put in place to protect the researchers who find the holes. Doesn't need to be much, just a blanket law that if the researcher has taken reasonable steps to alert the vendor, they cannot be held liable for the consequences of releasing the advisory. If that doesn't happen, things are going to get messy. Chris -- Chris Paget ivegotta@tombom.co.uk
