[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ] > Subject: Re: It takes two to tango > > Does V still have the right to sue R? Absolutely not. They were given more than fair notice. > If vendors are made liable for > security holes, and those vendors have the right to sue the people who > find advisories and / or release exploits, then we'll be seeing > security researchers on the wrong end of multi-million dollar > lawsuits. Only if the law fails to recognize the notice given by the discoverer to the vendor. Perhaps security researchers should begin using registered mail to notify vendors. It probably also means that those who feel vendors do not deserve fair notice will (have to / continue to) resort to posting exploits anonymously. > IMHO, vendors SHOULD be responsible for security holes. However, > before that can be done there needs to be some kind of law put in > place to protect the researchers who find the holes. IANAL, but I would hope no new laws are necessary -- the recognition of fair notice should be sufficient. -- Greg A. Woods +1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
