lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM5XQnwCjMZC6rJtHGK=dDOMwimM-yas_KO0nxtFtmEfOc1=sw@mail.gmail.com> Date: Fri, 13 Dec 2013 12:29:10 -0600 From: Jordon Bedwell <envygeeks@...il.com> To: Gary Baribault <gary@...ibault.net> Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk> Subject: Re: Where are you guys standing re: the (full) disclosure On Fri, Dec 13, 2013 at 12:15 PM, Gary Baribault <gary@...ibault.net> wrote: > Of course, all software companies would love for the disclosure to wait > for the fix to be released, and often, if the delay is considered > reasonable by the hacker in question who found the bug, then that's what > happens. I think it's only in the case where the company considers the > bug to be minor or non existent, and they are asking for a ridiculous > delay that many hackers will say, 'tough luck I'm disclosing on xx' and > he takes his chances that most of us agree with his decision. As Mikhail > said, if the hacker came across the bug without any illegal means then > he should be fine after the release (but IANAL). It's this so called "hacker" that defines this so called "time limit" which makes it both a moral and an ethical decision of your own making. If you don't see that the release schedule is fit. The fact of the matter is that in large companies sometimes it takes time to release updates and if you haul off and release a major security bug because you don't feel that the time line fits in with your guidelines that is your ethics decision. Most people do not disclose because of time lines, they disclose because of lack of updates and information on what is going on, companies are told (for example) "please respond within 90 days to let me know if you have fixed it and when release will happen so we can coordinate or I will disclose it." More often than not when dealing with people I find that as long as you keep them informed of what's going on and when it's going to happen and that they will get credit for helping then they are more than happy to work with you. I don't know where you got this magical idea that ethical security researches just haul off and release a security bug if they think Microsoft or Apple took a week too long to release the update. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists