What, precisely, do you mean by "irresponsible"? Do you mean "monetary liable"?
Suppose I find a remotely exploitable flaw in a major open source project,
such as BIND or sendmail or Apache. I communicate the flaw to the vendor.
It responds quickly, confirming my find and working with system integrators
to release patches. The patches are well publicized and widely available.
Subsequently a black hat releases an aggressive worm which exploits this
vulnerability. It does $1 million in damages. Is the vendor (ISC, Sendmail
Consortium, Apache Foundation, etc.) now liable for $1 million in compensatory
damages? If so, is it also liable for punitive damages because it should
never have introduced that bug in the first place, even though it did its
best to respond?
Put another way, if I'm Microsoft and I want to destroy open source, should
I start looking for vulnerabilities in big open source projects?
Reasonable steps is a very vague term. You have made the point that the
researcher needs protection from an unreasonable vendor, but vendors
also need protection from unreasonable researchers. Any system which
unfairly protects either side courts abuse.
It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
were published by "Phased", a security researcher with Snosoft, here on
Bugtraq. I really feel that HP went way over the line by trying to
place all the blame on Snosoft for HP's security hole by invoking the
DMCA and the Computer Fraud and Abuse Act.
If this particular security hole is ever exploited by the "bad guys",
we'll probably have both HP and Phased to thank. It really does take
two to tango. The Phased exploit code would never have been published
if HP programmers didn't mess up in the first place.
So this quote from Kent Ferson of HP in the News.com article was
probably a big mistake:
"Ferson also said that HP reserves
the right to sue SnoSoft and its members "for monies
and damages caused by the posting and any use of the
buffer overflow exploit."
Pretty clearly if there were ever to be any lawsuits over this
particular bug, HP has much deeper pockets which are much easier to get
to.
Personally, I thought the paper a rather interesting summary of how a to get rid of a cracker. Recently my homepage was cracked by a mysterious WebTV. He posted defamatory statements on my personal message board also. I sent a letter to the WebTV legal department, and as expected, they did nothing. If I would have read this paper on Cybercrime perhaps none of this would have happened.
Slashdot Mirror
Suppose I find a remotely exploitable flaw in a major open source project, such as BIND or sendmail or Apache. I communicate the flaw to the vendor. It responds quickly, confirming my find and working with system integrators to release patches. The patches are well publicized and widely available. Subsequently a black hat releases an aggressive worm which exploits this vulnerability. It does $1 million in damages. Is the vendor (ISC, Sendmail Consortium, Apache Foundation, etc.) now liable for $1 million in compensatory damages? If so, is it also liable for punitive damages because it should never have introduced that bug in the first place, even though it did its best to respond?
Put another way, if I'm Microsoft and I want to destroy open source, should I start looking for vulnerabilities in big open source projects?
Reasonable steps is a very vague term. You have made the point that the researcher needs protection from an unreasonable vendor, but vendors also need protection from unreasonable researchers. Any system which unfairly protects either side courts abuse.
If this particular security hole is ever exploited by the "bad guys", we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place.
So this quote from Kent Ferson of HP in the News.com article was probably a big mistake:
Pretty clearly if there were ever to be any lawsuits over this particular bug, HP has much deeper pockets which are much easier to get to.
According to the article, Toonz is commercial payware. Are there any reliable GNU animation tools?
Personally, I thought the paper a rather interesting summary of how a to get rid of a cracker. Recently my homepage was cracked by a mysterious WebTV. He posted defamatory statements on my personal message board also. I sent a letter to the WebTV legal department, and as expected, they did nothing. If I would have read this paper on Cybercrime perhaps none of this would have happened.