Hacker News new | ask | show | jobs
by btilly 4934 days ago
There is an active debate on whether immediate full disclosure is the right or the wrong response. In general until there is public disclosure, vendors do not feel motivated to fix problems. Unless you release details, people cannot verify that they are vulnerable. And if an exploit is already circulating among "the bad guys", then you're not doing that much damage by disclosing.

In this case it looks like someone is publicly disclosing a vulnerability that is already in circulation, and presumably is in use somewhere. A vulnerability which might have the potential for remote code exploits against multiple operating systems, and there is no guarantee that someone hasn't figured that out and is using it right now. For someone squarely on the full disclosure side of the debate, this would be about the best case to fully disclose everything, immediately.
2 comments
smsm42 4934 days ago
That depends on the vendor. Some vendors are slow, some vendors are fast. It is wrong to say that no vendor even fixes bugs unless they are publicly disclosed, it is not what responsible disclosure means.
link
btilly 4934 days ago
When I say "in general" that means not so for every vendor.

That said, Apple's track record on this topic is not exactly stellar.

link
eridius 4933 days ago
Apple rolls out security updates infrequently, but it seems that every time they do, I see fixes for issues I'd never heard of before. Now, I don't exactly seek out vulnerability reports, but they certainly seem to be fixing things that didn't get high-profile articles on social news sites.
link
btilly 4933 days ago
This is true.

But people who submit security issues to them say that their turnaround time tends to be very long. Which is bad for their customers if the submitted security issue is being exploited in the wild.

link
fauigerzigerk 4934 days ago
I think vendors should have a policy for dealing with security vulnerabilities. The policy should say how much time they will take to fix it and how they will give credit those who found the issue.

If a vendor does not have such a policy or is found to have violated it, I would go for immediate full disclosure.

link