[akerl_]

Maybe I'm explaining my confusion poorly.

I understand wanting people to call attention to mistakes, and wanting that call-out to be clear and loud. I understand accepting that feedback.

But if it were me, my step #1 would be "disclose this via FD or whatever dispersal method you feel is appropriate, and tack my-address@example.org onto the CC line. That way we make sure I get your feedback and can address it". The goal of getting the author involved as part of step 1 isn't to hide from mistakes, it's to make sure the author doesn't get left in the dark just because they miss a mailing list digest line.

[resonantcore]

> It's to make sure the author doesn't get left in the dark just because they miss a mailing list digest line.

I intended to address this with my comment here:

> If he gets burned in the process, that's the price Scott is willing to pay to improve.

If Scott gets left in the dark, he feels that it is his fault for making a coding error in the first place. At this point, he no longer deserves to be enlightened. If the vulnerability discoverer feels like being nice and sharing this information first or simultaneously, wonderful. But if they botch it or maliciously post it everywhere else in the world, then no hard feelings. If public knowledge, eventually the problem will be fixed.

The key motive here is that at no point are third parties bound to regulate their behavior or self-censor. At no point will rudeness and/or publicly disemminating exploit code lead to any sort of criminal liability so long as the targets include Scott, Scott's code, and any systems solely under Scott's control.

Scott carries no legal stick. As a third-party security researcher with no business relationship with Scott, you should be empowered to give Scott as much advance/simultaneous notice as you feel is appropriate. With no requirements.

Let me frame it another way: The very act of publishing a security vulnerability benefits two parties: The publisher/vendor/author of the code that contains the vulnerability, and the public. In the case of Scott's open source software, the interest that matters most is the public interest. The public should be informed so they can decide whether or not they wish to continue to trust the code quality that Scott produces.

So what if Scott's servers get rooted and rm'd? He'll wipe them and write better code next time.

At no point will Scott impose any restriction on what you decide to do with your ideas that were inspired by reading his work. Even if your mind goes to dark places. All he asks is, just don't hurt the public. He's not exactly in a position to waive the right for the general public to press charges if you hack into their systems.