It seems to me that in the very litigous United States this plan is a good way to get put out of business.

Consider,

- company/person X finds a flaw and advises M$ of it

- the rest of us get the promised limited disclosure

- I hear about the bug, but details are too sketchy for me to identify systems at risk.

- I get hacked

- fix is released & full disclosure occurs

- I can now see that with the extra info I could have identified my systems at risk.

Am I not now in a position to sue? My business has sufferred a loss. It was a loss which people knew about and deliberately withheld the info I could have used to mitigate the damage. Am I not able to make a case that their withholding that information harmed me.

In the past (and the present) the quick answer was M$ has deeper pockets and can run you round court till you die. But now, I have five fresh and presumably smaller targets I can hit who are all sharing the same info we are told.

Are these guys not road kill that just hasn't seen the headlights yet?

Enno.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/281/8758#8758