As much as corporate liability makes sense, I doubt it will ever come to fruition. I think it will be near impossible to prove "negligence." It will be a matter on interpreting the raw code and showing that the programmers intentionally cut corners. That won't be an easy thing to prove. Chris ponders if vendor V has the "right" to sue researcher R. Remember that in this country, you have the right to sue anyone for anything (like the guy suing McDonald's because he's fat http://www.cnn.com/2002/HEALTH/diet.fitness/07/26/fast.food.lawsuit.ap/index .html ) or people who sue the tobacco companies, as if you thought lighting something on fire and inhaling it was GOOD for you? Jeez. It is now vital for everyone, especially small companies, to keep a paper trail of everything to protect themselves, although that may not matter. Were my company to go head to head with an HP caliber opponent, we'd lose hands down. We couldn't afford to win. Legal expenses would choke us. Anyone remember Microsoft vs. Stacker? There is an interesting talk on this very subject at Defcon this weekend that I am looking forward to called "The Politics of Vulnerabilities." Should be interesting. I think the systems works for now and hopefully it will stay that way. Sooner or later though, one of the big boys will get an itchy legal trigger finger and go after (and probably bury) some small security company. The security community will go nuts. Dogs and cats, sleeping together. People will yell and point fingers then they'll create a government agency that will handle all vulnerabilities and liaison between the security guys and the software vendors, which will suck and I'll get out of the security business and sell Tupperware in the Caymans. My last two cents: don't always blame the programmers. I recall a 2 million dollar development project I led that had to be completed in 6 weeks (including QA) because the marketing dept. of the company I worked for had already spent huge $$ on ads. Never mind if anyone thought we could actually complete the project in that time frame. We had to cut a lot of corners to pull that off and had planned on going back and fixing them after the fact. Of course, the marketing guys came up with all new stuff for us to build and sell. You get the idea. Blame the marketing and sales folks. They're evil. OK. I'm off my soap box. Hope to see you at DefCon this weekend! Buy me a beer...or two. I'll be happy to rant on for days. Gibby McCaleb www.covertsystems.net Covert Systems, Inc. -----Original Message----- From: Chris Paget [mailto:ivegotta@tombom.co.uk] Sent: Wednesday, July 31, 2002 3:35 AM To: Richard M. Smith; bugtraq@securityfocus.com Subject: Re: It takes two to tango <snip> > "Ferson also said that HP reserves > the right to sue SnoSoft and its members "for monies > and damages caused by the posting and any use of the > buffer overflow exploit." This raises a very interesting point. Bruce Schneier has stated publicly that he believes vendors should be held responsible for security flaws in their products (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I agree with this viewpoint, as, I am sure, do many people on this list. However, how would this affect the vulnerability disclosure process? 1) Researcher R finds a security hole in vendor V's product. 2) R attempts to contact V to reveal the bug. 3) V does not respond. 4) R attempts communication several times over the next 90 days, but never receives a response. 5) R releases an advisory. 6) Attacker A writes an exploit for the hole, and uses it to hack into company C. 7) C successfully sues V for several million dollars compensation. Does V still have the right to sue R? If vendors are made liable for security holes, and those vendors have the right to sue the people who find advisories and / or release exploits, then we'll be seeing security researchers on the wrong end of multi-million dollar lawsuits. I'm sure I'm not the only person who feels uncomfortable about this. Buffer overflow exploits are not difficult to write; it doesn't come down to whether there's exploit code or just an advisory. IMHO, vendors SHOULD be responsible for security holes. However, before that can be done there needs to be some kind of law put in place to protect the researchers who find the holes. Doesn't need to be much, just a blanket law that if the researcher has taken reasonable steps to alert the vendor, they cannot be held liable for the consequences of releasing the advisory. If that doesn't happen, things are going to get messy. Chris -- Chris Paget ivegotta@tombom.co.uk
