> It would set a REALLY BAD precedent if the legal system decided that people > attempting to help fix bugs were to be tarred with the same brush as those > trying to exploit them. Think carefully about this. I hate to say it, but there is a legal precedent in regards to this. Caution: I am not a lawer and may have some of the terms wrong. If you have questions, please consult a lawer for clarification It is based on common law and is a tort liability. This is described in the document: csrc.ncsl.nist.gov:/secpubs/stewart.ps >From the index: stewart.ps 11-08-92 Potential Liabilities of Computer Security Response Centers - PostScript only To quote from the document about tort liability: "There is no general common-law duty to rescue a stranger in distress even if the rescue can be accomplished at no cost to the rescuer... But if you do begin to rescue someone, you must complete the rescue in a nonnegligent fashion even though you had no duty of rescue in the first place" The document goes on to state: "Section 323 of the "Restatement of Torts" provides that: One who undertakes, gratuitously or for consideration, to render services to another which he should recognize as necessary for the protection of the other's person or things, is subject to liability to the the other for physical harm resulting from his failure to exercise reasonable care to perform his undertaking, if (a) his failure to exercise care increases the risk of such harm, or (b) the harm is suffered because of the other's reliance upon the undertaking" An example of how this might be applied is that if I see a person bleeding to death and walk on by, I can not be held liable or negligent if the person dies. But if I stop and provide aid, but do not apply everything I learned about first aid 20 years ago, and the person dies, then the victim's family can sue me for negligence in the victim's death. They may not win in court, but the court would find that the suit has merit and would proceed with it. This is the basis for the very un-popular policies that CERT uses when it releases a security alert (please do not discuss problems with CERT, after reading this document, I am amazed that CERT publishes anything at all) Apologies in advance if people do not find this directly related to firewalls or security bug tracking, but I found the document to be a very eye opening document. Again, I am not a lawer. If you have questions, please consult a lawer. RLH > For info about our Sendmail Made Simple and Advanced Sendmail classes and < > a schedule of dates and locations, please send email to info@harker.com < Robert Harker Harker Systems Sendmail and TCP/IP Network Training 1180 Hester Ave Network and Sysadmin Consulting San Jose, CA 95126 harker@harker.com 408-295-9432