Hacker News new | ask | show | jobs
by uuuuuuuuuid 1013 days ago
I imagine someone in the many many comments has already suggested this. But just in case:

It wound be great if all of my emails to security@somewebsite.con could be CC’d to security@fcc.gov and that would immediately convey to me, somewebsite, and the FCC (and anyone else) that I am indeed disclosing and not ransoming.

I understand there would be a cost that the FCC would bear. I just think it would be a worthwhile cost to incur.
2 comments
steamer25 1013 days ago
I like the general idea of improving communication / transparency.

Perhaps some branch of the government could provide a registry for responsible disclosure (e.g., `https://some-branch.gov/responsible-disclosure`). As a security researcher, you could notify the government of your intent to disclose as a demonstration of due diligence and good faith.

The registry/site could return a case/reference number that could be included with the disclosure to the manufacturer. In addition to discouraging an attitude of defensive reprisal, it might also prevail a greater sense of urgency upon the manufacturer to follow through with remediations.

link
steamer25 1013 days ago
I'm not sure if it'd be necessary/useful but it might also be interesting to leverage zero-knowledge proofs so that interested parties could verify when the contents of a disclosure were made available without actually accessing the contents until after some attempts at remediation.
link
lxbxc 1013 days ago
This seems like a pretty clear breach of first amendment rights (we have a right to choose what we say, and who we say it to). It is probably a good idea for researchers to implement this strategy, and obviously more protections are needed for researchers in this area, but eroding the bill of rights is not the way.
link
PawgerZ 1013 days ago
Im a little confused. Can you explain how their proposal is a first ammendment violation? If you're reffering to "could be CC'd to security@fcc.gov," I assume they mean make it an option, not make it mandatory. Some companies attack you for trying to disclose bugs and exploits -- saying that you're attempting to ransom.
link