While setting up a recent evaluation, I was surprised by the terms and conditions that the vendor was trying to require.
1. Responsibility for the equipment from the moment it is shipped. Has no one else ever received equipment dead on arrival? I figure it vendor wanted to protect their equipment during shipping they should pack it well and insure it. I don’t even agree with us being responsible for the equipment while it is on-site. Except in the case of negligence, I don’t think we should be responsible. It is the cost of doing business for a company. We have no plans to leave it out in the rain or drop kick it around the data center. It’s a in a locked data center with limited badge reader access. Video camera on the doors. We’ve received million dollar SANs before with less commitment. Procurement got them to change this term to once the equipment is received by us. I wasn’t happy about that.
2. Under the terms of the evaluation, I am not allowed to discuss the results of the evaluation. I could understand a desire to prevent me from publishing results to Information Security Magazine. This prevents me from discussing the evaluation here on the blog or even in casual conversation at an ISSA meeting. The vendor re-wrote the requirement so I can discuss it with other Information Security professionals as long as I obtain a NDA from them. What a joke.
In spite of the legal knuckleheads at this vendor, I went ahead with the evaluation. I received the appliance last week. After turning it on and connecting to the console port, there was another license agreement. Part of that committed my company to participating in any future whitepapers with the vendor and allowed the use of our logo in any customer lists. I work for a not-for-profit that has prided itself on objectivity. Too close a relationship with a vendor could be seen to hurt that credibility. Participation in a whitepaper is not something to sneak through in a clickthrough agreement.
I guess they are expecting no one to read those things.