|
|
|
|
|
|
by sophacles
1020 days ago
|
|
|
This sounds like a reasonable approach (sorry for the pun). One question - reasonable to whom? (who? - english is my first language sorry). I ask because when I was doing security research, we'd often present issues and get responses like "but who is going to think of that?" or "No one could find that", only for someone to think of or find it later and take over a system. I still occasionally hear this from software developers (even though the industry as a whole has gotten much better over the years), but quite often from people who work in "cyberphysical" systems (e.g IOT). Part of the tension seems to come from the fact that some infosec people can be equally unreasonable, declaring something utterly useless if there's a remote theoretical chance of a problem. Unrelated to the above: > Maybe here, a vulnerability needs to be patched if it might reasonably be expected to allow an attacker to take control of a device... I suspect you know this and short-cutted for conversation, or maybe these are all the same legally, but "take control of a device" isn't the only win condition - DOS, info leaks, and so on also exist. I note this because I'm kind of curious if the law considers those the same or vastly different scenarios, and if any sort of FCC regulations would include them. |
|
|