|
|
|
|
|
|
by throwayedidqo
3364 days ago
|
|
|
I disagree. There's always a possibility that someone else already knows about it and isn't disclosing it. Waiting to disclose will naturally lead a company to take longer to fix the issue. Immediately disclosing allows customers to take action to protect themselves in case someone else is already exploiting the bug. Waiting to disclose is being peddled by the corporate agenda as "the ethical thing to do" because it makes vendors look bad. Here's typically what happens. You disclose a bug, company fixes it for next release and puts a footnote in the release notes. Nobody ever looks to see if it was exploited because the instinct is to bury it. Customers aren't widely notified and the seriousness is downplayed because "the bug is already fixed" . In the meantime the software was vulnerable for up to three months when it didn't have to be. If you disclose immediately there's a temporary panic as everyone does mitigating measures (which is how it should always be done!!!). the company is under tremendous pressure to out a patch in a matter of days which they usually do. Then you get yelled at by the company for making them look bad and "putting their customers at risk" even though the customers are provably safer because they were only vulnerable for a few hours |
|
|
What's really more dangerous, an extra week with a vulnerability that might be known, or two hours with a vulnerability everybody knows about?
Who's really more likely to see that disclosure on your personal Twitter account, every single (potentially non-technical) user of software you aren't even related to, or a few black hats who know you like to hack and brag?
Yes, it also makes companies look better, but in this case my anti-corporate agenda needs to take a back seat.