From maru at scip.ch  Fri Aug  7 03:21:42 2015
From: maru at scip.ch (Marc Ruef)
Date: Fri, 7 Aug 2015 08:21:42 +0000 (UTC)
Subject: [VIM] Legal Threats to Take Down Vulnerability Entries
Message-ID: <423501908.34351.1438935702373.JavaMail.zimbra@scip.ch>

Dear participants,

Once in a while we receive legal threats by vendors, pr companies and lawyers to take down vulnerability entries published in our public database. The reasons are usually:

* They don't like bad publicity
* They think mentioning their product is a copyright issue (sic!)

The disputed entries are usually not only available at our database. Other vulnerability databases and ressources (news, mailinglists, bugtracking system) are usually mentioning the issues too.

How do you react regarding such kind of inquiries?

Regards,

Marc

-- 
Marc Ruef | maru at scip.ch
scip AG | Badenerstrasse 623 | 8048 Zurich
T +41 44 404 13 13 | F +41 44 404 13 14

From jericho at attrition.org  Fri Aug  7 11:16:23 2015
From: jericho at attrition.org (jericho)
Date: Fri, 7 Aug 2015 11:16:23 -0500 (CDT)
Subject: [VIM] Legal Threats to Take Down Vulnerability Entries
In-Reply-To: <423501908.34351.1438935702373.JavaMail.zimbra@scip.ch>
References: <423501908.34351.1438935702373.JavaMail.zimbra@scip.ch>
Message-ID: <alpine.LNX.2.00.1508071115040.25469@forced.attrition.org>


: Once in a while we receive legal threats by vendors, pr companies and 
: lawyers to take down vulnerability entries published in our public 
: database. The reasons are usually:

We have in the past, but it has been some time since we received a 
veiled or "real" legal threat (meaning it was just email saying they would 
sue if we didn't do what they want).

: The disputed entries are usually not only available at our database. 
: Other vulnerability databases and ressources (news, mailinglists, 
: bugtracking system) are usually mentioning the issues too.

I always point out that the information is in other VDBs, as well as the 
original disclosure point, which is often mirrored on a half dozen blogs 
now.

: How do you react regarding such kind of inquiries?

In no uncertain terms, we tell them to fuck off.


From aviram at beyondsecurity.com  Fri Aug  7 11:28:08 2015
From: aviram at beyondsecurity.com (Aviram Jenik)
Date: Fri, 7 Aug 2015 18:28:08 +0200
Subject: [VIM] Legal Threats to Take Down Vulnerability Entries
In-Reply-To: <alpine.LNX.2.00.1508071115040.25469@forced.attrition.org>
References: <423501908.34351.1438935702373.JavaMail.zimbra@scip.ch>
	<alpine.LNX.2.00.1508071115040.25469@forced.attrition.org>
Message-ID: <CABtmDM_nKj3p4iqQnwMxpQZVZhRr_AsvgTqGW6iMh4MtuW0XFA@mail.gmail.com>

>
>
> : Once in a while we receive legal threats by vendors, pr companies and
> : lawyers to take down vulnerability entries published in our public
> : database. The reasons are usually:
>
> We have in the past, but it has been some time since we received a
> veiled or "real" legal threat (meaning it was just email saying they would
> sue if we didn't do what they want).
>

Likewise. It's been years.


>
> : The disputed entries are usually not only available at our database.
> : Other vulnerability databases and ressources (news, mailinglists,
> : bugtracking system) are usually mentioning the issues too.
>
> I always point out that the information is in other VDBs, as well as the
> original disclosure point, which is often mirrored on a half dozen blogs
> now.
>

Our approach is to say something like: "We are happy to add a 'vendor
response' section to the advisory. Let us know what you want to be
included there".

They usually get the hint, and decide to give us a blurb (sometimes
slightly offensive, but who cares). Some of them are really dim and
need a few back and forth until they get it. If they insist, we say:
"we'll include your email in the vendor response. Thank you for your
input" and paste it verbatim. That never fails to get them to send in
a proper, and usually polite, response.


>
> : How do you react regarding such kind of inquiries?
>
> In no uncertain terms, we tell them to fuck off.
>
>
We have lawyers on retainer. Having lawyers talk to each other is fun.

- Aviram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.attrition.org/pipermail/vim/attachments/20150807/ee8f9b35/attachment.html>

From smoore at securityglobal.net  Fri Aug  7 12:45:20 2015
From: smoore at securityglobal.net (Stuart Moore)
Date: Fri, 7 Aug 2015 13:45:20 -0400
Subject: [VIM] Legal Threats to Take Down Vulnerability Entries
In-Reply-To: <CABtmDM_nKj3p4iqQnwMxpQZVZhRr_AsvgTqGW6iMh4MtuW0XFA@mail.gmail.com>
References: <423501908.34351.1438935702373.JavaMail.zimbra@scip.ch>
	<alpine.LNX.2.00.1508071115040.25469@forced.attrition.org>
	<CABtmDM_nKj3p4iqQnwMxpQZVZhRr_AsvgTqGW6iMh4MtuW0XFA@mail.gmail.com>
Message-ID: <55C4EEB0.3090607@securityglobal.net>

*paying* to have lawyers talk to each other is not fun.  Thankfully, it 
has been a very long time since we have received any nasty-grams.  In 
general, we ask the vendor to identify factual errors for correction or 
to provide a statement and we will also annotate the alert with an 
editor's note.  The vendors that have complained in the past tend to be 
very small vendors with a lack of understanding of security processes.

Stuart
SecurityTracker

On 8/7/15 12:28 PM, Aviram Jenik wrote:
> We have lawyers on retainer. Having lawyers talk to each other is fun.