| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cerebus at sackheads.org (Timothy J.Miller) Subject: Shiver me timbers. On Monday, August 19, 2002, at 12:42 PM, aliver@...il.com wrote: > However, if we consider a problem that involves someone being able > to easily perpetrate a malicious action against the car owner due to a > manufacturer defect, then it's apt. See how that works? Now, trucking > right along, if someone decides to make a hobby or a career out of > finding > these specific types of defects, they don't really have any obligation > to > report them for free to anyone. They did the work to find the bug, they > _will_ decide what's morally right to do afterwards regardless of how > many > "standards" documents are written by people who think they have superior > ethics. If that means they want to withhold the information for what > they > consider to be a better purpose, then it's not only their choice, but > they > also might be morally justified to do so. It all depends on the > circumstances. Okay, I'll concede the bad analogy, and the misapplied substitution of your own. My bad, I'll pay more attention next time. I think, at this point, I see the common ground we share. I agree that whether to disclose a new vulnerability is ultimately the decision of the discoverer. I do not agree that an ultimately convincing case can be made where non-disclosure is morally preferable to disclosure. I do not, of course, have the ethical or legal authority to enforce my opinion on others. -- Cerebus
Powered by blists - more mailing lists