Slashdot Mirror

← Back to Stories (view on slashdot.org)

Responsible Disclosure — 16 Opinions

Posted by ryuzaki0 on from the one-man's-meat dept.

An anonymous reader writes, "Disclosure. Just a word, but in the security field it is the root of progress, sharing knowledge and getting bugs fixed. SecurityFocus published an interesting collection of quotes about the best disclosure processes. The article features 11 big vendors, 2 buyers of vulnerabilities, and 3 independent researchers. What emerges is a subtle picture of the way vendors and researchers differ over how much elapsed time constitutes 'responsible.' Whereas vendors ask for unlimited patience, independent researchers look for a real commitment to develop a patch in a short time. Nice read." Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."

2 of 87 comments (clear)

  1. Why there is no entry for 'responsible disclosure' by John+Fulmer · · Score: 3, Insightful
    Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."


    It may be because 'full disclosure' has meaning in the security community, while 'responsible disclosure' does not.

    All 'responsible disclosure' is is a set of general ethics and courtesy that security researchers give programmers/companies/entities in order to make an orderly repair of a vulnerability. It is a function of 'full disclosure', not something in of itself.

    Slightly related: I've read things that liken 'full disclosure' to yelling "Fire!" in a crowded theater. I tend to think it of yelling "Fire!" in a theater made of flash paper doused in gasoline, while one of the jugglers is preparing to light his flaming torches.

    In other words, yelling 'FIRE!' is permissible, if there is actually a high likelyhood of fire...
  2. Re:Why there is no entry for 'responsible disclosu by QuantumG · · Score: 3, Insightful

    Sorry, no, that's bullshit. If you wanna make stupid analogies, at least get them right. Calling "Fire!" in a crowded theatre is absolutely perfectly ok, if there is a fire. However, if you know there is a fire and know that people will, sooner or later, get burnt, going for a stroll to the front office and asking to talk to the manager, tell him there is a fire, and have him say "Yeah, we'll get to that in about 120 days, on average" is not ethical. It's not responsible. It's participating in a conspiracy that belittles the people in the theatre and hampers their ability to make a valid risk assessment.

    --
    How we know is more important than what we know.