|
|
|
|
|
|
by NegativeK
396 days ago
|
|
|
For any timeline the company can't hit, whether it's a week or 90 days, they should come up with compensating controls, detections, etc that users can implement. Managing vulnerable software isn't a new science. > The security researcher should have an approx. idea of how or what to do to fix Any expectation put on the security researcher beyond "maybe don't cause unnecessary shit storms with zero days" needs to be met with an offer of a fat contract. |
|
|