|
|
|
|
|
|
by md224
4573 days ago
|
|
|
> This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but that's hardly homakov's problem as a third party. Perhaps "blackmail" was too harsh a word. A better analog might be discovering a business left their back door unlocked. Do you announce it to the entire neighborhood because the business doesn't give out "security prizes," or do you attempt to notify the employees? That seems like the point of responsible disclosure. |
|
|
As far as full disclosure being acceptable, there are a lot of advocates. For example Bruce Schneier, Leonard Rose, and others. Not to mention that this issue isn't in a high impact category like remote code execution, loss of data, privacy, etc. It's also difficult to exploit; it requires authorizing a malicious app. So for all those reasons separately, and certainly all of them together, I think full disclosure is a completely acceptable choice.
Given that it is acceptable, is it still acceptable to do it if it furthers our own interests? Again, I think the answer is yes. The fact it is in my interest does not make an acceptable action into an unacceptable one.
You seem to be hung up on the fact that the researcher here was not particularly nice to Twitter. But people are under no obligation to be nice. It would be nice if you sent me a check for $200. But you won't, because there's no obligation to do that. And you and I--two strangers arguing with each other on the Internet--have a much stronger relationship than this researcher has with Twitter.