Yes, but you're missing the most important part of these kind of contracts.

I think it's super-important for contracts to include language to have a supportable application, regardless of where software security fits into: feature requests, functional requirements, non-functional requirements, somewhere else, or nowhere at all.

A supportable application includes:
1) The source code control repository
2) All build artifacts
3) The test harness
4) Product engineering documentation
.3a) Effect sketches, DTD's, UML, etc
.3b) Structural elements and changes over time
.3c) Functionality elements and changes over time
.3d) Refactoring elements with changes over time, including scratched refactorings
.3e) Architectural and user stories

If the above listed items cannot be included in contract, then they should be placed into escrow.
http://en.wikipedia.org/wiki/Source_code_escrow

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/494/35406#35406