Hacker News new | ask | show | jobs
by resonantcore 4187 days ago
> I'm left with the impression that your primary goal is that I publicize any vulnerability to other people, and the secondary goal is that I tell you.

That is correct. If the world knows, then Scott will also be informed.

> It seems that even if I'm practicing full disclosure, telling the author at the same time I tell the world is a 1st order goal.

That is your choice, you are not obligated to do so with Scott.

If he makes a mistake, he wants hackers to call attention to it. He wants people to see his mistakes and how he responds. Maybe follow his example: to accept mistakes graciously, and immediately issue a patch that adequately addresses them.

If he gets burned in the process, that's the price Scott is willing to pay to improve.

Or maybe he's just cocky and is bluffing everyone because he thinks he's too good of a programmer to make a security-affecting mistake. Only way to find out is to audit his open source code and drop 0days onto Full Disclosure ;)
1 comments
akerl_ 4187 days ago
Maybe I'm explaining my confusion poorly.

I understand wanting people to call attention to mistakes, and wanting that call-out to be clear and loud. I understand accepting that feedback.

But if it were me, my step #1 would be "disclose this via FD or whatever dispersal method you feel is appropriate, and tack my-address@example.org onto the CC line. That way we make sure I get your feedback and can address it". The goal of getting the author involved as part of step 1 isn't to hide from mistakes, it's to make sure the author doesn't get left in the dark just because they miss a mailing list digest line.

link
resonantcore 4187 days ago
> It's to make sure the author doesn't get left in the dark just because they miss a mailing list digest line.

I intended to address this with my comment here:

> If he gets burned in the process, that's the price Scott is willing to pay to improve.

If Scott gets left in the dark, he feels that it is his fault for making a coding error in the first place. At this point, he no longer deserves to be enlightened. If the vulnerability discoverer feels like being nice and sharing this information first or simultaneously, wonderful. But if they botch it or maliciously post it everywhere else in the world, then no hard feelings. If public knowledge, eventually the problem will be fixed.

The key motive here is that at no point are third parties bound to regulate their behavior or self-censor. At no point will rudeness and/or publicly disemminating exploit code lead to any sort of criminal liability so long as the targets include Scott, Scott's code, and any systems solely under Scott's control.

Scott carries no legal stick. As a third-party security researcher with no business relationship with Scott, you should be empowered to give Scott as much advance/simultaneous notice as you feel is appropriate. With no requirements.

Let me frame it another way: The very act of publishing a security vulnerability benefits two parties: The publisher/vendor/author of the code that contains the vulnerability, and the public. In the case of Scott's open source software, the interest that matters most is the public interest. The public should be informed so they can decide whether or not they wish to continue to trust the code quality that Scott produces.

So what if Scott's servers get rooted and rm'd? He'll wipe them and write better code next time.

At no point will Scott impose any restriction on what you decide to do with your ideas that were inspired by reading his work. Even if your mind goes to dark places. All he asks is, just don't hurt the public. He's not exactly in a position to waive the right for the general public to press charges if you hack into their systems.

link