Comment Re:It takes two to tango (Score 1) 334
Suppose I find a remotely exploitable flaw in a major open source project, such as BIND or sendmail or Apache. I communicate the flaw to the vendor. It responds quickly, confirming my find and working with system integrators to release patches. The patches are well publicized and widely available. Subsequently a black hat releases an aggressive worm which exploits this vulnerability. It does $1 million in damages. Is the vendor (ISC, Sendmail Consortium, Apache Foundation, etc.) now liable for $1 million in compensatory damages? If so, is it also liable for punitive damages because it should never have introduced that bug in the first place, even though it did its best to respond?
Put another way, if I'm Microsoft and I want to destroy open source, should I start looking for vulnerabilities in big open source projects?
Reasonable steps is a very vague term. You have made the point that the researcher needs protection from an unreasonable vendor, but vendors also need protection from unreasonable researchers. Any system which unfairly protects either side courts abuse.
