Hacker News new | ask | show | jobs
by droopybuns 4526 days ago
I disagree that "responsible disclosure" is tired, nor a meme.

Software development is hard. Most projects are developed by teams- not single contributors. Consequently, part of reporting bugs is enduring the back and forth of communications with teams. Reporting bugs is not an all-or-nothing game.
1 comments
grkvlt 4526 days ago
It certainly isn't tired, and "responsible disclosure" policies are absolutely preferred over any sort of free-for-all distribution and posting of PoC code to the world before the vendor. I think most professional security researchers have always subscribed to the general idea of responsible disclosure of vulnerabilities, even before things like RFPolicy [0] brought the concept to a wider audience.

However by any reasonable definition [1] it is a meme, being a "unit for carrying cultural [...] practices that can be transmitted [...] through writing [or] speech." Remember that memes existed as a concept long before LOLcats and formulaic GIF images with amusing text macros on the Internets...

    [0] http://www.wiretrip.net/p/libwhisker.html
    [1] https://en.wikipedia.org/wiki/Meme
link
sneak 4525 days ago
My problem is not with companies preferring advance notice, or with people who abide by what is called "responsible disclosure". Indeed, it is often the Right Thing To Do.

The problem is that use of the phrase "responsible disclosure" FRAMES anything that does not conform to that narrow definition as "irresponsible disclosure", when in reality it simply is not. (It is not irresponsible to pull a @homakov, for instance.)

It's "framing": a way that use of language shapes our thinking about the world and events therein, sometimes and usually without our explicit conscious consent to such bias.

Please stop using the term. "Advance developer/vendor notification" is a suitable replacement if you wish.

link
droopybuns 4525 days ago
If we were playing table tennis, I would comment on the tremendous amount of english you put on that ball.

On the one hand, I concede your point. I think your phrasing is certainly more accurate. However it isn't quite as expressive to the layman.

On the other hand, there are so few people out there who truly can grasp the nuances that you're focusing on, I am wary of propogating your valid point.

I still think "responsible disclosure" is a better (albeit damaged) descriptor.

link