For as long as most junior coders have been alive, tech vendors have talked up performance guarantees even though they neglect to detail just what happens if they don’t deliver as promised. 

I have been begging vendors to knock off these deceptions for a long time — a very long time. 

Last week, I briefly celebrated when storage vendor Scality announced a guarantee and backed it up with a promised payment of $100,000 if it failed. So far, so good.

In its announcement, the company boasted that the guarantee did not come with a lengthy list of limitations. “Unlike complex vendor programs that advertise larger amounts but are difficult to claim,” the vendor said, “Scality’s guarantee is designed to be clear, accessible.” 

It argued that the guarantee was “simple” and came with “straightforward eligibility” requirements and company execs made a lot of noise about what they were doing.

In an interview, Scality CMO Paul Speciale elaborated, dismissing other companies that deliver a “long list of stipulations and terms” and an “onerous list of conditions.”

In a statement, Scality CEO Jérôme Lecat said, “With this cyber guarantee, we’re putting our money where our architecture is. It’s a simple, direct promise that reflects the confidence we have.”

Given that we journalists are a cynical and suspicious lot, those words sounded too good to be true, so I took a look at the company’s end-user license agreement (EULA). More on that in a moment, but let’s just say my suspicions turned out to be warranted. 

Read the EULA

The lesson here for IT? Always read every word in the EULA and other documents before signing any deals. 

Let’s start with the guarantee, which relates to customers using its Artesca storage line: “A $100,000 financial guarantee to customers if an external cyberattack destroys or encrypts data stored immutably on Artesca. The program applies to every Artesca customer without requiring the purchase of additional services. As long as organizations keep Artesca up to date and protect data using Object Lock in compliance mode, they qualify for the guarantee.” 

Forget the limitations, even the initial offer has limts. The cyberattack must be external — somehow exempting insider attacks from this guarantee — and the attack must destroy or encrypt data. If an attacker simply exfiltrates data or even just accesses it without authorization, the customer gets no money. (This Willy Wonka clip strikes the right note.)

By the way, the absence of exfiltration was no oversight. As Speciale said, “Even with stolen or leaked credentials, we can prevent data stored immutably from being deleted or encrypted. But anyone with proper access credentials can read and therefore exfiltrate data. A deletion/encryption can be audited whereas a data exfiltration cannot be audited.”

He also said his company has mechanisms in place to make it less likely for an attack on the vendor to expose customer data. “First, our support team does not have the customers’ Artesca access credentials,” Speciale said. “Next, even if we would, our product implements MFA, so it would not be enough that the credentials are stolen. The device enabling the real-time second factor authentication needs to also be under control of the attacker, a much rarer occurrence. This would require more active participation of the person attacked by the social engineering, but again we don’t even have the access credentials for the customers’ system to begin with.”

What other limits are in the fine print? “Customers must notify Scality within 48 hours of discovering a qualifying incident and cooperate in root cause analysis, including providing relevant logs and telemetry.”

Oh, really? A customer that’s just been hit with a cyberattack is going to be insanely busy those first two days. Customers could easily blow by that deadline — if they’re even aware of it — before even thinking of applying for the money.

Speciale said the 48-hour time frame is only for an initial heads up. Why theshort window? “If a customer waits weeks or months to report the incident, critical system logs may be overwritten, and evidence of how the breach occurred will be lost, making it impossible to verify if the software failed or if the customer made a configuration error.” So Scality wants to see those logs to decide for itself whether the incident qualifies. 

The dilution of the guarantee deepens elsewhere. The news release said the guarantee “applies to every Artesca customer without requiring the purchase of additional services.” Not exactly,  given that it excludes free license customers.

The documents also limit that ethereal $100,000 to customers “with a minimum of 50TB license.” That’s  not an especially onerous requirement, but it does undermine the “applies to every Artesca customer” claim.

There is also a strange exemption that kicks in if an attacker does anything beyond deleting or encrypting data; the EULA says that encryption or deletion must be “the direct and sole consequence” of the attack.

How much is enough?

Scality also includes this interesting line in its news release: “Many Artesca customers protect 50TB or more, while investing only a few thousand dollars per year in software. For those customers, a $100,000 payout represents a multiple of their annual investment, thereby delivering very strong proportional assurance.”

But when a breach occurs that is the vendor’s fault, the issue is how much did that mistake cost the customers. If a customer loses $15 million, the company CFO is not going to say, “That’s OK because we only spent $10,000 on the product.” That company is going to want full compensation.

It makes me wonder: Is this guarantee a cute way of sidestepping a civil court verdict that could easily cost far more? The EULA says: “Licensee acknowledges and agrees that the Guarantee Payment shall constitute the sole and exclusive remedy for any Qualifying Cyber Incident, and no other damages, including, but not limited to, direct, indirect, incidental, or consequential damages, shall be available to the Licensee.”

Asked about this, Speciale said that other paperwork signed by the customers already blocked alternative legal mechanisms, whether by civil lawsuit or arbitration. 

“The guarantee is actually an enhancement, since without the Cyber Guarantee, standard commercial terms from most storage vendors, including Scality, disclaim liability for loss of data or a security breach. Our standard liability is also capped at the amount paid by the customer.” 

In other words, if customers don’t read the initial documentation carefully and sign it, they’ve already have surrendered their right to be made whole.

Maybe loudly touting a guarantee that comes with with an extensive list of exemptions is slightly better than offering no guarantee at all. But the underlying lesson remains: caveat emptor has never been more apt.