On Thu, Aug 01, 2002 at 09:54:08AM -0400, Brooke, O'neil (EXP) wrote: > [SNIP] > > If the client was not notified, after the vulnerability was published (not > > the exploit), businesses affected by the security hole, could sue the > > vendor. The vendor may have chosen not to inform it's clients of the > > potential security problem, and thus did not do its due diligence. > [SNIP] Does notification really make any difference? Vendors grant a usage license. They still *own* the software, so they are responsible for any problems in the first place. (Just like a car rental agency is responsible the first place if a client violates the law with their car). No matter what their EULA says. So why not sue the vendor for any problems and tell him to sue his licensee, to get the money back from him. IANAL, but shouldn't that work? \Maex
This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 00:50:32 PDT