|
|
|
|
|
|
by jrockway
5033 days ago
|
|
|
You're assuming that the security researcher is the first person to discover the issue. That's rarely the case. Keeping quiet just gives users a false sense of security and ensures that they can't mitigate the security impact on their own (without the help of the vendor). Knowledge is power. We shouldn't censor ourselves because someone somewhere can be evil with some information. They have other ways of getting the information anyway. |
|
|
Assuming the goal is to minimize harm, then when to disclose depends on an interplay of several factors. Here are some of them:
1. How many people will discover and exploit the flaw on their own if it is not publicly disclosed.
2. How many people will exploit it if they find out about it, but will not discover it on their own.
3. How fast knowledge of the flaw will spread to the people of #2 without public disclosure. E.g., through word of mouth in hacker or researcher circles.
4. How many users of the flawed system will be able to use knowledge of the flaw in order to protect themselves from the people of #1 and #2.
5. How long the flaw will remain available.
6. How lessons from this flaw will teach others to build more secure systems.
Disclosure affects #2 (disclosure increases harm), #4 (disclosure decreases harm), sometimes #5 (disclosure might push a vendor to action), and #6 (disclosure decreases harm).