And what happens when the vendor won't indemnify the researchers? No more security bulletins? Wouldn't the vendors love that. Or would security researchers become outlaws?

-----Original Message-----
From: Chris Wysopal [mailto:weld (at) vulnwatch (dot) org [email concealed]]
Sent: Tue 3/22/2005 4:26 PM
To: Marchand, Tom
C...

[ more ]