Riad, et al, You are ignoring a major difference between the software industry and most other industries. The following applies to the US and most jurisdictions. The software vendor is selling you a license to use their product, not the product itself. Their license requires you to agree to certain conditions, including limited liability of the software company and certain non-disclosure provisions. The software is copyrighted and subject to copyright law. Your use of their product is an implicit acceptance of their licensing conditions, and of copyright law. If you find bugs or vulnerabilities in a software company's products you have generally waived your rights to disclose that information in the license agreement you implicitly agreed to. If you are using stolen, or pirated, versions of the software when you make your disclosure known you are subject to prosecution under copyright law. Some licenses could allow a software manufacturer to sue an individual for losses if they can prove a drop in license sales due to the disclosure. Under certain circumstances you could be liable to prosecution under DMCA and other legislation - legislation which is designed to enforce the rights of copyright holders, not just the software industry. In some jurisdictions you could be liable to prosecution under anti-terrorism laws, if any disclosure you made is exploited and used to harm life or property. These are the laws. Like it or loathe it. If you really disagree with vendor's licensing agreements, don't use their software. If you don't like the law, petition your elected representative. It is only relatively recently that the manufacturer of any defective product sold (but not licensed) could be prosecuted for their negligence. Note that under most jurisdictions there are options to prosecute companies who are knowingly negligent and when their actions result in death, e.g. Corporate Manslaughter. I am not aware of any software vendor prosecuted under such a statute, though. To all those litigators out there - case law is waiting to be written, and precedents set. John Howie -----Original Message----- From: Riad S. Wahby [mailto:rsw@jfet.org] Sent: Wednesday, July 31, 2002 12:19 PM To: bugtraq@securityfocus.com Subject: Re: It takes two to tango Chris Paget <ivegotta@tombom.co.uk> wrote: > Does V still have the right to sue R? Let's put this a different way: Ford makes a car that seems to sell pretty well. Unfortunately, it has a fatal design flaw: if the car suffers a rear-end collision while it's in third gear during a rainstorm at night while the moon is waxing, the car explodes, killing its passengers. Consumer Reports discovers that this is the case and publishes a warning to its readers concerning this car. Ford is unable to reproduce the vulnerable configuration and ignores the warning, assuming it's a hoax. Two weeks later, a story breaks in the national news that a psychopath has taken it upon himself to rear-end all Ford cars on rainy moonlit nights. So far, five people have died. Who is responsible, Ford or Consumer Reports? Do you think Ford could successfully prosecute a lawsuit against Consumer Reports? Extra credit: if you said "no" to the second question, but think V should win a suit against R in Chris's hypothetical situation, please explain how the two situations are so substantially different as to result in completely opposite conclusions with regard to liability. -- Riad Wahby rsw@jfet.org MIT VI-2/A 2002
