[qual]

Could you help me understand what you are suggesting is done instead?

To me, it seems like you're suggesting that vulnerabilities are just left in play until someone malicious comes along and decides to do some real damage. But that seems so silly that I must be missing some alternative that you're thinking about.

[mike_hearn]

> it seems like you're suggesting that vulnerabilities are just left in play until someone malicious comes along and decides to do some real damage

That's how security mostly works in meatspace, yes.

In the specific case of internet connected software the industry has a lot of experience saying that if something is exploitable then someone will come along and exploit, so we don't normally need to see an example of it happening in the real world first. It's sufficient to assume that if you get popular enough, a professional blackhat will find your bugs and exploit them. It's also reasonable to assume that the cost of a fix is low and the cost of change in the field is also low.

Outside that context the threat models are usually unclear and refined through experience. If you notice someone cut through a wire fence to steal some equipment from a cell tower maybe you build a wall around it instead. But if nobody is stealing anything there's no point in pre-emptively trying to guess that it might happen and building lots of walls because that might just be a waste of resources (perhaps there's no market for stolen tower equipment, so protecting it better would be a waste of resources).

[hunter2_]

> vulnerabilities are just left in play until someone malicious comes along and decides to do some real damage. But that seems so silly

Well, that's exactly how it tends to work for housing, so I think GP's point is that if it works there it should work here. However, I disagree because the stakes are so different (harming a single family who are free to harden however they like, versus harming the general public who are at the mercy of whatever hardening is done for them).

[rvnx]

You've noticed an issue.

You let the manufacturer know, and you let them decide for the next steps.

No ultimatum to threaten to disclose to the public or to ruin their reputation, it's not your business.

In the meantime, you keep it for yourself.

You helped: no lawyers, no problems.

If really there is a safety issue, after a reasonable period of time you can inform the regulators, as it is their job to assess safety.

This is responsible disclosure, not TMZ-style public-shaming.

[qual]

You're presenting this as if its a new idea, but the security industry tried the above (for the majority of the time that "computer security" has been a thing) and... it didn't work! That's the whole reason public disclosure came about in the first place -- there's quite a rich history there if you're interested.

Some other thoughts:

>You let the manufacturer know, and you let them decide for the next steps.

Which, as history has proven, the "next steps" is generally to sweep it under the rug and to be forgotten about until it's exploited by a bad actor.

>it's not your business

But, what about when it is? On-topic: I drive a car, so I care about vulnerabilities in traffic lights and they may directly affect me. It's also my business if my personal data is stolen, or my identity, or corporate data, etc.

>You helped: no lawyers, no problems.

No problems... Until the vulnerability is exploited and it causes me a problem.

[EvanAnderson]

> No ultimatum to threaten to disclose to the public or to ruin their reputation, it's not your business.

I found an authentication bypass in a door card access controller. Per the installer I was working with the units are regularly exposed directly to the Internet. (Heck, the installer was trying to cajole my Customer into doing it for "remote support" reasons.)

Given that there's an impact to the public-- albeit not necessarily directly safety-related-- I think this kind of vulnerability is still "my business".

If I owned one of these controllers and it was "protecting" my property I'd want to know.

(Fun aside: The installer went so far as to suggest that because their other Customers expose these units to the Internet-- particularly a small bank who is "audited" for "security"-- it would be okay if my Customer did it. Needless to say, my Customer did not. I let my Customer know about the auth. bypass and we kept the unit locked down in a VLAN w/ a restrictive ACL, but I never publicly disclosed... too afraid of hostile response from the vendor. Eventually a researcher did find it and disclose it publicly, at least...)