|
|
|
|
|
|
by hifromwork
746 days ago
|
|
|
Cox has a responsible disclosure program: https://www.cox.com/aboutus/policies/cox-security-responsibl.... In my opinion (as a security engineer) the biggest benefit of such programs is not amoral "hackers will always sell exploits to the highest bidder so companies must provide a high bounty for bugs in their software"[1] but "having a responsible disclosure process makes it totally clear that it's ok to report vulnerabilities without being sued". Looking at the timeline below the post I can't see anything problematic. The author even waited the usual[2] 90 days before disclosure, even though the vulnerability was hotpatched a day after report (congrats to Cox btw). They also shared a draft blog post with them a month ago. [1]They certainly should, in the ideal world. [2]A deadline popularized (or even invented) by Google's project zero. |
|
|