As much as corporate liability makes sense, I doubt it will ever come to fruition. I think it will be near impossible to prove "negligence." It will be a matter on interpreting the raw code and showing that the programmers intentionally cut corners. That won't be an easy thing to prove. Chris ponders if vendor V has the "right" to sue researcher R. Remember that in this country, you have the right to sue anyone for anything (like the guy suing McDonald's because he's fat http://www.cnn.com/2002/HEALTH/diet.fitness/07/26/fast.food.lawsuit.ap/index .html ) or people who sue the tobacco companies, as if you thought lighting something on fire and inhaling it was GOOD for you? Jeez. It is now vital for everyone, especially small companies, to keep a paper trail of everything to protect themselves to show that they exerted a reasonable effort to contact the offending software manufacturer, although that may not matter. Were my company to go head to head with an HP caliber opponent, we'd lose hands down. We couldn't afford to win. Legal expenses would choke us. Anyone remember Microsoft vs. Stacker? There is an interesting talk on this very subject at Defcon this weekend that I am looking forward to called "The Politics of Vulnerabilities." Should be interesting. I think the systems works for now and hopefully it will stay that way. Sooner or later though, one of the big boys will get an itchy legal trigger finger and go after (and probably bury) some small security company. The security community will go nuts. Dogs and cats, sleeping together. People will yell and point fingers then they'll create a government agency that will handle all vulnerabilities and liaison between the security guys and the software vendors, which will suck and I'll get out of the security business and sell Tupperware in the Caymans. My last two cents: don't always blame the programmers. I recall a 2 million dollar development project I led years ago that had to be completed in 6 weeks (including QA) because the marketing dept. of the company I worked for had already spent huge $$ on ads. Never mind if anyone thought we could actually complete the project in that time frame. We had to cut a lot of corners to pull that off and had planned on going back and fixing them after the fact. Of course, the marketing guys came up with all new stuff for us to build and sell. You get the idea. Blame the marketing and sales folks. They're evil. OK. I'm off my soap box. Hope to see you at DefCon this weekend! Buy me a beer...or two. I'll be happy to rant on for days. Gibby McCaleb www.covertsystems.net Covert Systems, Inc.
