Should also point out that getting E&O insurance is a good idea. Daniel
> On Jun 8, 2014, at 1:34 PM, Dave Warren <da...@hireahit.com> wrote: > >> On 2014-06-08 04:03, Paul Vixie wrote: >> this is concerning, for two reasons. >> >> first, for enforceability, a contract requires exchange of >> consideration. what's yours? i can see that the vendor is receiving >> something of value (the disclosure) but it's not clear what you're >> getting in return beyond the opportunity to have your good deeds go >> unpunished. absence of a negative does not amount to a positive in the >> eyes of the law. > > Indemnity is definitely consideration. I'm not sure that "1- You will not > attempt to threaten or prosecute the researcher in any jurisdiction." is > sufficient though, but something similar in appropriate legalese would > possibly do the trick. > > There also needs to be an enforcement or penalty clause that is mutually > agreeable (and this is probably where most companies will start to wonder if > agreeing is worthwhile). A contact without an enforcement clause is mostly > useless since a violation will, at most, allow the opposing party to > disregard the contract. This works great in a "I will mow your lawn as needed > for $80/week" contract, in which case in the event of a breach, the other > party would stop complying with their terms. > > In this case, the vendor has on ongoing obligation to not sue, whereas the > researcher has completed their portion as soon as they reveal the information > to the company (or as soon as they complete a defined responsible disclosure > period). If the company chooses to pursue legal action against the > researcher, the researcher has no remedy in the contract. > > At a minimum, agreeing to limit damages in the event of any and all legal > actions resulting from researching and disclosing the vulnerability would be > a start. > > Still, I like the idea, especially if it's something that a reasonable number > of researchers use. > > -- > Dave Warren > http://www.hireahit.com/ > http://ca.linkedin.com/in/davejwarren > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/