In the letter from HP, extortion under Massachusetts General Law, Chapter 265, Section 25, was mentioned. "Finally, SnoSoft and its members may face additional penalties under various criminal statues of the Commonwealth of Massachusetts including, but not limited to, criminal extortion (M.G.L. c. 265 § 25)."
http://www.state.ma.us/legis/laws/mgl/265-25.htm
www.state.ma.us_legis_laws_mgl_265-25.htm

I compared the law with the Full Disclosure policies here. I looked up pecuniary.
http://www.ietf.org/internet-drafts/draft-christey-wysopal-v
uln-disclosure-00.txt
http://www.wiretrip.net/rfp/policy.html
http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=48

Those Full Disclosure policies say in many ways with emphasis retained from the Internet Draft.

* Hello, vendor you have a software bug. I can exploit it.
Here is the proof.
* Now you the "Vendor MUST" do some things. The "Vendor
MUST" do them quickly (increasing [A].)
* Or the "reporter should" tell everyone about the bug
(exponentially increasing [A].)

Is not forcing a vendor to patch her software for her customers on the reporter's schedule "or else" extortion?

[A] It costs money to fix software bugs. Disclosure of software bugs have negative financial impact for the vendor and positive financial impact for the reporter. Unless this is just a hobby for the likes of ISS or SNOSoft.

[B] I am not an attorney.

[C] I am not an expert.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/100/16069#16069