[26461] in bugtraq
Re: It takes two to tango
daemon@ATHENA.MIT.EDU (Tom Perrine)
Thu Aug 1 01:48:34 2002
Date: Wed, 31 Jul 2002 10:53:04 -0700
Message-Id: <200207311753.g6VHr4T25976@lart.sdsc.edu>
From: Tom Perrine <tep@SDSC.EDU>
To: ivegotta@tombom.co.uk
Cc: rms@computerbytesman.com, bugtraq@securityfocus.com,
"E. Kenneally" <erin@postal.sdsc.edu>
In-reply-to: <49ffkuo4l41cbgq47gufgt3upsssmsfoju@4ax.com> (message from Chris
Paget on Wed, 31 Jul 2002 11:34:57 +0100)
>>>>> On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget <ivegotta@tombom.co.uk> said:
CP> <snip>
>> "Ferson also said that HP reserves
>> the right to sue SnoSoft and its members "for monies
>> and damages caused by the posting and any use of the
>> buffer overflow exploit."
CP> This raises a very interesting point. Bruce Schneier has stated
CP> publicly that he believes vendors should be held responsible for
CP> security flaws in their products
CP> (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I
CP> agree with this viewpoint, as, I am sure, do many people on this list.
CP> However, how would this affect the vulnerability disclosure process?
Others, even some lawyers, agree:
http://www.gocsi.com/pdfs/byte.pdf
Erin also had a similar article in ;login: (requires USENIX
membership):
http://www.usenix.org/publications/login/2001-12/pdfs/kenneally.pdf
and most recently in IEEE Computer:
http://www.computer.org/computer/co2002/r6toc.htm
--
Tom E. Perrine <tep@SDSC.EDU> | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ |
