Conversation

I wonder if it's possible to challenge H1 legally for enforcing unlimited NDA on those bug reports while never acting on them?

@k8em0

do you know of any precedent?

Quote Tweet

secret club

@the_secret_club

Apr 12, 2021

Valve ignoring security researchers is not just specific to the secret club. Here we see Bien Pham demonstrate his Remote Code Execution exploit that has not been patched for over a year. twitter.com/bienpnn/status…

namazso

@namazso

It's not NDA, just ToS. If you violate it they just ban you from their platform. That's just not exactly great for a security researcher.

3:46 PM · Apr 12, 2021

I don't recall if I explicitly signed any contract when signing up for H1 or the Valve program, but are you sure there is no legal way for them to sue for damages when violating their agreed rule set? of course I have never read the ToS, they're probably massive

Niklas B

@_niklasb

Apr 12, 2021

if there is no actual legal leverage for them then I guess what I said does not apply. It would be at the researcher's discretion to forfeit their participation in the platform to set an example. Not exactly a great look for H1 either, but less problematic

Show replies