Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Closing The Holes While Gagged?

Posted by Cliff on from the when-contracts-and-conscious-collide dept.

This, wisely anonymous, Anonymous Coward asks: "I am a paid participant of a survey, and as part of my participation I am not allowed to disclose my role in the survey to anyone. This is stated in the documentation though I haven't agreed to any NDA or contract that specifically says so. As part of the survey, users install client software, which I have found to contain a rather significant security hole. I have explained the hole in detail to the company doing the survey, though they haven't responded or updated the client software. I would like to expose the fault publicly to put pressure on them to fix it, though I fear that doing such would constitute a breach of confidentiality for which I would be liable, despite the lack of an NDA."

4 of 16 comments (clear)

  1. Protect yourself first by Shirotae · · Score: 3

    If the security problem causes someone a real loss, the last thing you want is to be in any way liable for having known about a problem that was not fixed.

    Send the company a written report by means of an independent courier who will get a receipt. In that report, say that there is another copy of the report on deposit with an independent holder who keeps a record of the date of deposit and really do that too.

    Make sure that there is evidence that you made them aware of the fault. If they fail to act, and someone sues them, you will have some evidence that you acted in good faith, and that the company were negligent rather than just incompetent.

    N.B. I Am Not A Lawyer so don't assume that this is good advice.

  2. Use the Media by The-Bus · · Score: 3
    What if you alert 'the Media' (whoever that is), that there's such a security hole? If you give that information to a journalist willing to publish it, and you remain anonymous, it is up to the sites to consider whether they want to risk exposing this security hole or not.

    I remember a while back someone at The Register saying they would willingly take information of questionable (read: possibly illegal due to NDAs) content. Then, they would decide whether or not to publish it, and if any charges came, they would bear the responsiblity and less than 1% of the time would it ever get back to the source. Sorry, I don't have a link, but I remember it was posted around the time of the MacNN and Photoshop controversy. Now, I don't know if Slashdot is willing to take such a stance, nor do I know, since IANAL, if NDAs can still bring legal charges against the reporting organization, even if they never signed the NDA.

    The above message is probably muddled. Sorry.

    --

    Small potatoes make the steak look bigger.

  3. Be Careful by Royster · · Score: 4

    There may be an implicit contract by virtue of the fact that you are being paid for the survey. For there to be a contract, there needs to be consideration, an agreement and indication of acceptance. You may already have implicitly agreed to abide whatever they have put in their documentation by your actions in filling out a survey, say. Ask yourself this, if they were to try to deny paying you, would you feel that they were obligated to based on what you've already done? If so, you are probably obligated not to disclose what you know.

    A truly conscientious stand would be to refuse your pay. Are you willing to do that?

    --
    I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
  4. send it to me at eWEEK by Timothy+Dyck · · Score: 4

    We will publish this if we can repo it and it will affect enough people -- and we will keep your identity anonymous. You can even e-mail me anonymously if you want to go though a remailer (e.g. http://anon.xg.nu or https://www.privacyx.com).

    Regards,
    Tim Dyck
    Technical Director, eWEEK Labs
    timothy_dyck@ziffdavis.com