[VIM] Legal Threats to Take Down Vulnerability Entries

[Aviram Jenik]

>
>
> : Once in a while we receive legal threats by vendors, pr companies and
> : lawyers to take down vulnerability entries published in our public
> : database. The reasons are usually:
>
> We have in the past, but it has been some time since we received a
> veiled or "real" legal threat (meaning it was just email saying they would
> sue if we didn't do what they want).
>

Likewise. It's been years.


>
> : The disputed entries are usually not only available at our database.
> : Other vulnerability databases and ressources (news, mailinglists,
> : bugtracking system) are usually mentioning the issues too.
>
> I always point out that the information is in other VDBs, as well as the
> original disclosure point, which is often mirrored on a half dozen blogs
> now.
>

Our approach is to say something like: "We are happy to add a 'vendor
response' section to the advisory. Let us know what you want to be
included there".

They usually get the hint, and decide to give us a blurb (sometimes
slightly offensive, but who cares). Some of them are really dim and
need a few back and forth until they get it. If they insist, we say:
"we'll include your email in the vendor response. Thank you for your
input" and paste it verbatim. That never fails to get them to send in
a proper, and usually polite, response.


>
> : How do you react regarding such kind of inquiries?
>
> In no uncertain terms, we tell them to fuck off.
>
>
We have lawyers on retainer. Having lawyers talk to each other is fun.

- Aviram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.attrition.org/pipermail/vim/attachments/20150807/ee8f9b35/attachment.html>