Hacker News new | ask | show | jobs
by john_strinlai 52 days ago
>For reference, the standard is 30 for the developer to fix and 90 for it to land on machines

no, the standard is 90 days from notification or 30 days from the patch date, typically whichever is sooner.

e.g.

    > If a vendor patches a security issue 47 days after Project Zero notified 
    > the vendor about the vulnerability, details would be made public on day 77.

    > If a vendor patches a security issue 83 days after Project Zero notified 
    > the vendor about the vulnerability, details would be made public on day 113.
please also note that you are blindly quoting wikipedia articles at people who either currently work in security research, or used to work in security research. while we are not infallible, you should perhaps consider that we at least have real life experience dealing with vulnerability disclosure processes, and arent just learning about them today from wikipedia. when a room full of experienced professionals are telling you that you are misunderstanding something, that is a sign to step back for a second and maybe reconsider your position.
2 comments
zamalek 52 days ago
That's still extremely different to this in one of the GP comments:

> There is no such thing as "the responsible disclosure protocol".

And yes, I admit I got dragged down to their level and beat myself with a dumb stick in the process.

link
akerl_ 52 days ago
There isn’t such a thing. Coordinated disclosure (sometimes called responsible disclosure by people who want to inject their morals into one available option so as to paint the others as irresponsible) exists. As has been noted, some large groups like Project Zero use 90/+30, but that isn’t a set protocol; it’s a thing some folks picked and others have copied. If a research group announced tomorrow that they were doing a flat 42 days from notification to release, they would still be doing coordinated disclosure.
link
tptacek 52 days ago
There is no such thing as "the responsible disclosure protocol".
link
tptacek 52 days ago
Hey! I still do SOME work in this space. :)
link
john_strinlai 52 days ago
haha, for the record, the "used to" was primarily referring to myself, who now teaches the next generation instead of practices! you are probably much more active in the space than i am now adays
link