![]() ![]() ![]() Re disclosure debate: In this specific instance it seems like it either would have been fixed relatively soon with an audit, or it would not have been fixed and Google would need to remove it from their store. Is your only problem my tone? And do you think the point about Google's policy is entirely moot, and if so, why? I think that publicizing against your own policy may be worse than publicizing independently. I think that this violates Google's stated policy, or at least would like an explanation of why it doesn't. ![]() Because, like it or not, and I know from your comments thus far that you do not like this, if Tavis Ormandy said "new rule: you can disclose 15 seconds after discovery, patch or no patch, so long as you yourself are wearing a pirate eye patch with a large googly eye glued to it", a pretty big swath of the security research community would accept that as The New Rule. Your opinions about vulnerability research also get a lot more interesting if you can tell us about your own VR/xdev experience. So while it's one thing to use this incident to give voice to your own reasoning about how disclosure should be handled, it's another thing entirely to moralize about it - in this case, repetitively - with a tone suggesting that the debate has somehow been settled, and you've somehow found out about that before the rest of us. However, on the off chance that you are somehow (despite it being 2015) new to the Great Disclosure Debate, you should be aware that there are other respectable and intellectually coherent rationales for other disclosure schedules, and that you are vanishingly unlikely to be the Internet Message Board Commenter That The Prophets Foretold Would Resolve The Disclosure Debate. That is a perfectly respectable and intellectually coherent rationale for not disclosing bugs you find prior to the availability of their patches. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |