[WEB SECURITY] What do security researchers want in a security disclosure policy to reduce their liability?

["Andy Steingruebl" <steingra@xxxxxxxxx>]

I wrote a blog entry the other day titled "Security Reporting Policies
That Encourage Responsible Disclosure" in light of the recent CSI
report about legal liability for security researchers who test web
application security and disclose the results.

http://securityretentive.blogspot.com/2007/07/security-reporting-policies-that.html

If you found a flaw in the security of a website where you didn't have
the explicit authorization from the site owner (ie, you hadn't traded
mail with them, you don't have a contract, etc) to have done security
testing,  what factors would you look for in their security reporting
page that would give you the confidence that if you reported the issue
you wouldn't have the FBI at your door?

My post covers some of the scenarios and suggestions for what a policy
would cover.  I'd appreciate feedback on what sort of language and/or
policy would make you feel confident in reporting an issue you
discovered.  In today's climate would you ever feel comfortable, what
sort of guarantee would the company have to give, etc?

Thanks

-- 
Andy Steingruebl
steingra@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]