Hacker News new | ask | show | jobs
by sneak 4519 days ago
Hey githubbers, could you please stop repeating the tired "responsible disclosure" meme?

Full disclosure is not irresponsible and attempts to frame it as such are bordering on malicious toward the exact community in which you are attempting to engender goodwill.
1 comments
droopybuns 4519 days ago
I disagree that "responsible disclosure" is tired, nor a meme.

Software development is hard. Most projects are developed by teams- not single contributors. Consequently, part of reporting bugs is enduring the back and forth of communications with teams. Reporting bugs is not an all-or-nothing game.

link
grkvlt 4519 days ago
It certainly isn't tired, and "responsible disclosure" policies are absolutely preferred over any sort of free-for-all distribution and posting of PoC code to the world before the vendor. I think most professional security researchers have always subscribed to the general idea of responsible disclosure of vulnerabilities, even before things like RFPolicy [0] brought the concept to a wider audience.

However by any reasonable definition [1] it is a meme, being a "unit for carrying cultural [...] practices that can be transmitted [...] through writing [or] speech." Remember that memes existed as a concept long before LOLcats and formulaic GIF images with amusing text macros on the Internets...

    [0] http://www.wiretrip.net/p/libwhisker.html
    [1] https://en.wikipedia.org/wiki/Meme
link
sneak 4519 days ago
My problem is not with companies preferring advance notice, or with people who abide by what is called "responsible disclosure". Indeed, it is often the Right Thing To Do.

The problem is that use of the phrase "responsible disclosure" FRAMES anything that does not conform to that narrow definition as "irresponsible disclosure", when in reality it simply is not. (It is not irresponsible to pull a @homakov, for instance.)

It's "framing": a way that use of language shapes our thinking about the world and events therein, sometimes and usually without our explicit conscious consent to such bias.

Please stop using the term. "Advance developer/vendor notification" is a suitable replacement if you wish.

link
droopybuns 4519 days ago
If we were playing table tennis, I would comment on the tremendous amount of english you put on that ball.

On the one hand, I concede your point. I think your phrasing is certainly more accurate. However it isn't quite as expressive to the layman.

On the other hand, there are so few people out there who truly can grasp the nuances that you're focusing on, I am wary of propogating your valid point.

I still think "responsible disclosure" is a better (albeit damaged) descriptor.

link