On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget wrote: > IMHO, vendors SHOULD be responsible for security holes. What, precisely, do you mean by "responsible"? Do you mean "monetary liable"? Suppose I find a remotely exploitable flaw in a major open source project, such as BIND or sendmail or Apache. I communicate the flaw to the vendor. It responds quickly, confirming my find and working with system integrators to release patches. The patches are well publicized and widely available. Subsequently a black hat releases an aggressive worm which exploits this vulnerability. It does $1 million in damages. Is the vendor (ISC, Sendmail Consortium, Apache Foundation, etc.) now liable for $1 million in compensatory damages? If so, is it also liable for punitive damages because it should never have introduced that bug in the first place, even though it did its best to respond? Put another way, if I'm Microsoft and I want to destroy open source, should I start looking for vulnerabilities in big open source projects? > However, > before that can be done there needs to be some kind of law put in > place to protect the researchers who find the holes. Doesn't need to > be much, just a blanket law that if the researcher has taken > reasonable steps to alert the vendor, they cannot be held liable for > the consequences of releasing the advisory. If that doesn't happen, > things are going to get messy. Reasonable steps is a very vague term. You have made the point that the researcher needs protection from an unreasonable vendor, but vendors also need protection from unreasonable researchers. Any system which unfairly protects either side courts abuse. -- Kyle R. Hofmann <krhat_private>
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 23:08:10 PDT