Home page logo
/

basics logo Security Basics mailing list archives

Re: Non Disclosure Agreements
From: "David J. Bianco" <bianco () jlab org>
Date: 09 May 2003 15:08:30 -0400

On Thu, 2003-05-08 at 13:09, Tim Heagarty wrote:

I can only disclose vulns in the system to the customer and to my client.
The customer cannot disclose vulns that I find in their system to anyone but
the vendor/my client.
[...]

I feel like my hands would be tied. If I found something that I felt was
major and the vendor did not then I could not expose it to bugtraq or
anywhere else to protect the safety and privacy of the end user. Not even
the vendor's customer could expose the holes in their system without the
vendor's approval.

This is quite normal, and I think entirely appropriate.  The vendor in
this case is your client.  They're paying you to do some work for them,
so I think it would be a serious ethical breach for you to publish
vulnerability information based upon work done on their dime.  If you're
allowed to disclose the vulnerability to the end client, then that
should be good enough.  If they agree it's a serious vulnerabilty, they
can take it up with their vendor (your client) directly and there's no
need for you to become involved.  On the other hand, if they don't
believe it's a serious vulnerability, and you can't convince them 
otherwise, that's their responsibility.  As a consultant, all you can
do is point the way.  Others have to want to go there of their own free
will.

        David


-- 
David J. Bianco, GSEC GCUX              <bianco () jlab org>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint:  516A B80D AAB3 1617 A340  227A 723B BFBE B395 33BA 

     The views expressed herein are solely those of the author and
            not those of SURA/Jefferson Lab or the US DOE.



---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault