[OWASP-TESTING] Re: [Owasp-dotnet] Semi-anonymous e-mail account for submissions to OWASP

Andrew van der Stock vanderaj at greebo.net
Wed Apr 20 19:04:33 EDT 2005

I think the major problem with this that the people who wish to contribute
anonymously need to seriously think about getting their contracts modified.

In Australia, it's a breach of the Trade Practices Act to restrict people
working outside hours on ANYTHING - even industries closely allied with your
day job. 

I am not suggesting that people should violate their NDAs or IP with their
employer - if you know something about a particular product, it's probably
not useful to us anyway, and if you developed a new attack method on your
employer's time and used their resources, well they paid for it, and they
own it. Again, not something we can easily use.

However, the rest of your time is your own, despite employer claims to the
contrary. Particularly when you do not use any employer time or resources to
do activity X. Employers have often shoved "everything you know and
everything you will do whilst employed by us is ours". I refer them to the
TPA. You cannot contract an illegal act, and you cannot contract to reduce
rights given to you by law. Generally, I am contracted to do 40 hours of
work a week, plus whatever I am willing to give away if I've made an
estimation error in my timings. If they really want to own all of my stuff,
they can pay me for 168 hours a week, and give me a laptop computer and
outfit my home office, pay for the space on a commercial basis, and pay my
mobile and comms bills. They don't do these things, so they don't get
anything after 5.30 pm.

A few years ago, my friend Luke and I came up with the idea that it is a
good idea to get the IP thing out of the road early on. As I was the
President of SAGE-AU at the time, we had a lawyer draft it, and it's legal
for Australia. If you share our common law, it's likely that it'll work in
the UK and possibly even the US.


The OSDA explicitly sets out what you can do out of hours if you're in any
doubt. I use it from time to time when I don't get through to a particular
employer's thick skull that they actually don't own my time.


On 19/4/05 5:58 PM, "Daniel" <daniel.cuthbert at owasp.org> wrote:

> Morning all,
> At the previous OWASP London meeting (and AppSec con held the other
> weekend), there was talk of having some form of mechanism in which people
> could submit documents/code/tools/advice etc to OWASP but not be in breach
> of their NDA/Contract/Current terms of employment.
> Whilst we work on a more suitable solution, I've setup a gmail account
> called owaspsubmissions at gmail.com
> All the relevant people will have access to this mail account and we will
> take the information sent from you all and sanitize it so that no personal
> details are left that could identify you.
> Hope this helps?
> Daniel
> -------------------------------------------------------
> This SF.Net email is sponsored by: New Crystal Reports XI.
> Version 11 adds new functionality designed to reduce time involved in
> creating, integrating, and deploying reporting solutions. Free runtime info,
> new features, or free trial, at: http://www.businessobjects.com/devxi/728
> _______________________________________________
> Owasp-dotnet mailing list
> Owasp-dotnet at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-dotnet

More information about the Owasp-testing mailing list