Home page logo

basics logo Security Basics mailing list archives

RE: Non Disclosure Agreements
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 12 May 2003 11:19:32 -0700

  It seems to me that the work that they're hiring you for
is not likely to produce discoveries of the form "program
XXX is vulnerable to exploit by doing YYY" -- the sort of
thing Bugtraq would be interested in -- but rather more
"company AAA has currently deployed a version of XXX that
still contains known vulnerability YYY".
  Publicizing such a discovery might, in itself, be construed
as an attack on (or incitement to attack) company AAA.

  California has a new law requiring disclosure of actual
compromises (not vulnerabilities), and other jurisdictions
may follow suit.  As long as the agreement makes it clear
that you are not responsible for ensuring compliance with 
such requirements, I don't think there's a problem.

David Gillett

-----Original Message-----
From: Tim Heagarty [mailto:Tim () TheaSecure Com]
Sent: May 8, 2003 10:09
To: security-basics () securityfocus com
Subject: Non Disclosure Agreements

I have a potential client that wishes me to go to their 
customer's site and
perform various normal analysis activities on a system that 
the client has
written and installed at the customer's site. My client wants 
me to produce
a NDA with them that would contain the following points.

I can only disclose vulns in the system to the customer and 
to my client.
The customer cannot disclose vulns that I find in their 
system to anyone but
the vendor/my client.

These are large public systems that are used by thousands of 
end users and
contain great potential for customer harm if the system has a 
problem that
is not immediately repaired. A small vuln would allow 
thousands of private
records to be exposed.

I feel like my hands would be tied. If I found something that 
I felt was
major and the vendor did not then I could not expose it to bugtraq or
anywhere else to protect the safety and privacy of the end 
user. Not even
the vendor's customer could expose the holes in their system 
without the
vendor's approval.

Have you folks run across this before? What did you do? Any ideas?

Tim Heagarty CISSP, MCSE
"There are only 10 kinds of people in the world, those that understand
binary, and those that don't."

FastTrain has your solution for a great CISSP Boot Camp. The 
industry's most 
recognized corporate security certification track, provides a 
prospectus based upon the core principle concepts of 
security. This ALL INCLUSIVE curriculum utilizes lectures, 
case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter 
for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 

Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]