Symantec Buys SecurityFocus, among others.

[full-disclosure () lists netsys com (Nick FitzGerald)]

Blue Boar replied to Jay D. Dyson:

> >     The idea cannot be copyrighted[1], but the code (which includes
> > the exploit methodology) can be copyrighted with all the cursory terms
> > and conditions for use.
>
> You can't copyright an algorithm, only an implementation.  You need a 
> patent to protect an algorithm.  Good luck patenting buffer overflows.
>
> > > You can decline to let someone mirror your exploit or advisory verbatim,
> > > but there's nothing you can do to keep someone from reporting about a
> > > vulnerability. 
> >     Sure you can...especially under the auspices of the DMCA.  Hell,
> > when you get down to it, all we need is one wild-eyed lawyer[2] on our
> > side who'll toss a flurry of lawsuits and we'll pretty much have the
> > corporate security firms by the short-and-curlies.
>
> You think you can stop a news agency from reporting that there is a 
> vulnerability in product X, that works like Y and Z?  I think you'll find 
> you're mistaken.  I'd love to see it play out, though.
>
> > 1.  Ideas, names and phrases can be trademarked, however.
>
> Not ideas.  Names, yes.. but that just means someone has to call their 
> version of the exploit something different.  And trademarks are expensive 
> to obtain and defend.

Release exploits with the vaguest of descriptions as to how they work 
(lost for examples -- just copy'n'paste the "technical bits" of some 
of the security bulletins from MS...).  Have the _only_ PoC code a 
compiled binary loaded with copyright notices forbidding reversing, 
etc.  Be sure to use some "encryption" (extremely trivial is OK as 
complexity doesn't matter; can you say XOR?) in the PoC to "protect" 
the important secret (generally the overflow "string" itself).  Be 
capricious in who you prosecute under the DMCA for incoporating 
vulnerability detection of this flaw into their products.  (Many 
other "pro-reversing" laws allow reversing if doing so is the only 
(practical) way to ensure compatibility or system inter-operation -- 
this should not be a defense against reversing a security 
vulnerability exploit...)

> Many people can be intimidated with a lawsuit.  Seems like the groups in 
> particular you are concerned about aren't the ones to try threatening with 
> lawyers, though.

Do you really care if you win lots of money in such a case, or just 
that you win?  I'm sure you'd find good lawyers who would take such 
cases on a "no win no fee" basis so long as they got a sizable chunk 
of ones they did win.  They'd only have to win a few before you'd 
made your point.

Of course, IANAL...


Regards,

Nick FitzGerald