I stand by what I said at the time: https://news.ycombinator.com/item?id=43492940 - and if you only read one thing, read the harrassment an atop contributor was subjected to by "eslerm": https://github.com/Atoptool/atop/issues/330#issuecomment-275...

I bring it up because of the unmissable parallels. Google are trialling a policy to see what will happen, but this incident shows already what can happen.

RbtB is a trusted blog by the HN crowd, and her vaguepost unexpectedly whipped up hysteria. It was only quelled by a post with more details the next day. Google Project Zero has enormous levels of trust, intends to vaguepost as policy, and not post more details the next day to satisfy the mob.

It does not look good for volunteer maintainers to suffer an entire world of talentless clowns rifling through every commit and asking "is this the bug Project Zero found?"

▲

tptacek 4 days ago | parent [-]

The "Rachel By The Bay" blog and Google Project Zero are not reasonable comparands in matters of vulnerability disclosure.

▲

amiga386 3 days ago | parent [-]

I think it's a fair illustration of what irresponsible disclosure looks like.

I expect Project Zero will be monitoring carefully; for all their good intentions, this policy trial has the potential to go as badly wrong as the atop disclosure did, for everything they announce.

You can reasonably expect massive, worldwide scrutiny in anything P0 announces has a vulnerability in it without also disclosing the vulnerability, and this extra attention has the potential to overwhelm FOSS maintainers, even if they have fixed the vulnerability and are waiting for coordinated disclosure.

▲

tptacek 3 days ago | parent [-]

"Responsible disclosure" is an Orwellian term made up by vendors to coerce vulnerability researchers into working for and on vendor release schedules.

▲

amiga386 3 days ago | parent [-]

Did you not see the panicked, stupid, wrong mob that the vaguepost whipped up, with your own eyes? It is very easy to whip up a mob: 1) be well regarded and trusted, and 2) post a vague statement about a specific target (e.g. "you might want to stop running atop") where a lot of people will see it. The mob will then form, start speculating, and a pile of them won't be able to help themselves and will start picking over every single thing in the repository. "Is this the bug?" "No." "Is this the bug?" "No." "This contributor is Jia Tan, isn't he?" "No they are not." and so on.

Maintainers always welcome genuine security reports, and especially love a working PoC. But they don't have time to deal with idiots, spammers, shysters and chancers who submit bullshit reports, or ask for hand-holding to submit what will turn out to be bullshit reports, and they definitely don't have time to engage in idle speculation. It wastes their time, and reduces the time they have to look at what could be genuine reports.

Imagine what would happen if Project Zero posted "you might want to stop running ffmpeg" with no further details. That's effectively what's being proposed. A million idiots descend upon the project with "Hey guys I heard Project Zero found a vulnerability in ffmpeg. How exciting! Is it this free(NULL)?"

There is nothing wrong with responsible and coordinated disclosures, even if vendors take liberties, and yes you should set an upper bound for disclosure. But if your policy is "I will disclose to the public that I found a bug in specific software, but not what the bug is", accept that you are likely to unleash chaos, especially if you are a well-regarded and trusted researcher.

▲

tptacek 3 days ago | parent [-]

Again, simply not interested in comparisons between GPZ and the Rachel By the Bay blog.

	▲	amiga386 3 days ago \| parent [-]
		We're going round in circles now, so let's just say we will see what happens. Project Zero seems upbeat, but acknowledges this risk: > We understand that for some vendors without a downstream ecosystem, this policy may create unwelcome noise and attention > This is a trial, and we will be closely monitoring its effects. They don't explicity spell out what they would consider a failure of this policy trial. I think failure would look like the example I have outlined, but at greater scale.