On 8 June 2014 09:16, Owen Tuz <[email protected]> wrote: > I am also not a lawyer, but think you would have serious problems getting > this to hold up in any court. > > What you're describing is equivalent to the email disclaimers used by many > businesses - "If you have received this email in error, please delete it > without reading its contents" and so on. Such contracts are by their nature > implicit (they assume an agreement) and it is thus usually enough for the > recipient to explicitly state that they do not agree. > > That is, it becomes harder to assume an agreement in the face of an email > saying "I do not agree"! > > Despite this, such disclaimers aren't totally legally bankrupt: for > example, many businesses do include a confidentiality clause as above > because, even if not binding in itself, it is useful to be able to > demonstrate that the recipient of a message knew its contents were at least > *supposed* to be confidential. > > However, I don't believe you could enforce a contract of the kind you are > suggesting. > > There are bigger problems with your model, though. Firstly, if the vendor > doesn't reply, you don't even have that implicit agreement - so the email > provides no protection for you if/when you decide to publicly release > details of the vulnerability in question. >
I understand your criticism and I am aware that those type of emails provide little to no protection. However I think the analogy is incorrect. These terms and conditions would have to be part of a very specific process that would have to be followed by the researcher. The process would have to be like this: 1) You contact the vendor saying that you have found a vulnerability in their product and wish to communicate with them, asking for an email back. 2) An individual in the company emails you back. 3) You send the terms and conditions, stating that the individual will be accepting it on behalf of the company (possible weak point here). At this point it branches out in two possible paths. First path: 4a) The individual replies back saying they agree to the terms and conditions 5a) You send the details, ask for a release date, etc. ... 6a) Fix gets released and you release the advisory. Further branching in two paths: 7aa) The company sues you. OR 7ab) The company does not sue you. The second path after 3) would be: 4b) The individual replies back saying they do NOT agree to the terms and conditions. 5b) You inform them that you will not reveal to them the details of the vulnerability (or alternatively do not even reply). 6b) You release the details of the vulnerability anonymously. So as long as you follow the script above, there are 3 possible outcomes. - In 7ab) you are not sued. - In 6b) you cannot be sued. You have not provided any details of the vulnerability to the company (the email in 1) cannot provide any specific details in any way). It is practically impossible for the company to sue you unless they have NSA like capabilities or power, and you send the details to full-disclosure or whatever using tor. - In 7aa) you get sued. Again I'm not a lawyer, but I do believe the agreement would afford you some sort of legal protection here. The fact that an individual which is part of the company accepted the agreement plus the fact that the company collaborated with you with regards to dates, coordinated disclosure, etc suggests that they have implicitly followed the agreement. The only problem I can see is if the company imply that the individual which accepted the agreement did not have authority to do so. > Secondly, if a vendor truly believes (correctly or not, let's not get into > that) that you have done something illegal then they will take you to court > anyway. Simply put, you can't write a contract that lets you break the law. > That is true, but the fact that the vendor believes you will be breaking the law does not mean you are indeed breaking it. The DMCA protection in the US should be sufficient provided they cannot invoke the "national security" clause. But I do see a bigger problem with this though. By forcing a company to accept this legal agreement, you might draw unwanted attention to you from what would otherwise be a friendly company if you had followed a normal disclosure procedure. Things can get ugly once the legal department gets involved, and lawyers have a way to complicate things... Regards, Pedro _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
