>>>>> On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget <ivegottaat_private> said: CP> <snip> >> "Ferson also said that HP reserves >> the right to sue SnoSoft and its members "for monies >> and damages caused by the posting and any use of the >> buffer overflow exploit." CP> This raises a very interesting point. Bruce Schneier has stated CP> publicly that he believes vendors should be held responsible for CP> security flaws in their products CP> (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I CP> agree with this viewpoint, as, I am sure, do many people on this list. CP> However, how would this affect the vulnerability disclosure process? Others, even some lawyers, agree: http://www.gocsi.com/pdfs/byte.pdf Erin also had a similar article in ;login: (requires USENIX membership): http://www.usenix.org/publications/login/2001-12/pdfs/kenneally.pdf and most recently in IEEE Computer: http://www.computer.org/computer/co2002/r6toc.htm -- Tom E. Perrine <tepat_private> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ |
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 22:48:18 PDT