|
|
|
|
|
|
by palata
927 days ago
|
|
|
Isn't the idea of responsible disclosure to give them some time to fix, and to publish after they have had enough time to fix (or in this case decide not to fix)? According to Wikipedia [1]: "In computer security, coordinated vulnerability disclosure (CVD, formerly known as responsible disclosure)[1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue." and when it comes to Google: "Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix." In other words, I think they would publish a vulnerability they would find in your software (after the disclosure deadline). Why wouldn't you do the same for them? [1]: https://en.wikipedia.org/wiki/Coordinated_vulnerability_disc... |
|
|