Re: It takes two to tango

From: Markus Stumpf (maex-lists-security-vuln-devat_private)
Date: Thu Aug 01 2002 - 11:50:30 PDT

Next message: Ron DuFresne: "Re: ssh trojaned"

Previous message: michael: "Actuate Server CSS Vulnerability"
In reply to: Brooke, O'neil (EXP): "[Full-Disclosure] RE: It takes two to tango"
Next in thread: Ash: "Re: It takes two to tango"
Reply: Ash: "Re: It takes two to tango"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 01, 2002 at 09:54:08AM -0400, Brooke, O'neil (EXP) wrote:
> [SNIP]
> > If the client was not notified, after the vulnerability was published (not
> > the exploit), businesses affected by the security hole, could sue the
> > vendor.  The vendor may have chosen not to inform it's clients of the
> > potential security problem, and thus did not do its due diligence.
> [SNIP]

Does notification really make any difference?
Vendors grant a usage license. They still *own* the software, so they
are responsible for any problems in the first place. (Just like a car
rental agency is responsible the first place if a client violates the law
with their car). No matter what their EULA says.

So why not sue the vendor for any problems and tell him to sue his licensee,
to get the money back from him.

IANAL, but shouldn't that work?

	\Maex

Next message: Ron DuFresne: "Re: ssh trojaned"
Previous message: michael: "Actuate Server CSS Vulnerability"
In reply to: Brooke, O'neil (EXP): "[Full-Disclosure] RE: It takes two to tango"
Next in thread: Ash: "Re: It takes two to tango"
Reply: Ash: "Re: It takes two to tango"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 00:50:32 PDT