[tptacek]

That may feel good to say, but as someone whose job it was to find these kinds of bugs in software from companies ranging from tiny startups to financial exchanges to major tech vendors, this is a kind of carelessness shared by virtually everyone shipping any kind of software anywhere.

That said, the term "responsible disclosure" is Orwellian, and you should very much avoid using it.

[cdubzzz]

How is "responsible disclosure" Orwellian?

[tptacek]

It's coercive. It redefines language to make any handling of vulnerabilities not condoned by the vendors who shipped those vulnerabilities "irresponsible", despite the fact that third parties who discover vulnerabilities have no formal duty to cooperate with those vendors whatsoever.

The better term is "coordinated disclosure". But uncoordinated disclosure is not intrinsically irresponsible. For instance: if you know there's an exploit in the wild for something, perhaps go ahead and tweet the vulnerability without notice!

[gcr]

Do you think there's a moral imperative for researchers to responsibly disclose discovered vulnerabilities?

I see it as a kind of Hippocratic Oath in the field.

[tptacek]

No.

[openasocket]

Maybe I don't understand you. Are you suggesting that, if you find a vulnerability in a piece of software, you aren't ethically obligated to confidentially disclose the vulnerability to the maintainer so it can be patched before the vulnerability becomes publicly known? If so, why? What is a person who found a vulnerability ethically obligated to do?

[tptacek]

No, of course you aren't. Why would you be?

[uola]

The meaning of the words "responsible" and "irresponsible" extends beyond "formal duty".

[tptacek]

I'm sure that's true, but that's not responsive to my argument.

[uola]

I obviously thought so otherwise I wouldn't have said it.

[tptacek]

The only responsive argument I can come up with based on your original comment depends on you not knowing what the term "responsible disclosure" means, and instead trying to back out its meaning from the individual words "responsible" and "disclosure". But that's not what the term means.

A good shorthand definition for "responsible disclosure" is "report to the vendor, and only to the vendor, and disclose to nobody else until the vendor chooses to release a patch, and even then not until a window of time chosen by the vendor elapses."

Maybe you thought I was saying "the only way to disclose responsibly is to honor a formal duty to the vendors of insecure software". No, that was not my argument. If you thought it was, well, that's a pretty great demonstration of how the term is Orwellian, isn't it?

Or I could be missing part of your argument (it was quite terse, after all). Maybe you could fill in some details.

[ktRolster]

this is a kind of carelessness shared by virtually everyone shipping any kind of software anywhere.

I don't feel wrong saying that all of those are irresponsible. There are some people who write good code, who at least make an effort to avoid vulnerabilities, and those are the responsible ones.

[tptacek]

If you find one of them in the wild, take a picture, so we can have some evidence they exist.

[ktRolster]

They exist all over the place. OpenBSD, DJB, Knuth, at companies I've worked for, you'll find people who care, and code responsibly. The rest of you need to get your act together.

[rdtsc]

Someone mentioned selling vulnerabilities on the black market as a better alternative than doing these "responsible disclosure" and bug bounties. What's your take on that? Is it a better route to take?

[tptacek]

For the most part I think selling vulnerabilities on an actual "black market" is intrinsically unethical, and makes you a party to the bad things people who buy exploits on an actual black market do with them.

Thankfully, the black market doesn't want 99.99999% of the vulnerabilities people find.

I have friends who have sold vulnerabilities to people other than vendors. I do not think they're unethical people, and I don't know enough about those transactions to really judge them. So, it really depends, I guess. But if it were me, I'd be very careful.

[ktRolster]

It's dangerous, and might be illegal, so be careful if you decide to do that.