But those aren't the same thing. The basic idea of "responsible disclosure" is that you give the vendor enough time that they could make and deploy a patch. This might involve coordination or it might involve an upfront deadline. "Responsible disclosure" by itself doesn't give the vendor any control. (Unless you're worried about them suing you, but if you're worried about that your whole strategy needs to change far beyond disclosure timing.)

If you want a different term that's fine, but I don't agree with framing it as all or nothing or the suggested replacement.

▲

akerl_ 2 days ago | parent | next [-]

Giving the vendor a deadline up front is coordinating with the vendor. You brought them in on a plan for what you’re going to do and asked them to take actions as part of that plan.

▲

Dylan16807 2 days ago | parent [-]

Reporting the bug to the vendor is coordinating in a weak sense, but you're not coordinating the disclosure unless they have input in how the disclosure happens.

If an email asking them to fix it qualifies as coordinated disclosure, then an immediate public post about the bug is also coordinated disclosure. It also brings them in and asks them to take actions.

	▲	tptacek 2 days ago \| parent [-]
		Even "responsible disclosure" didn't necessarily give vendors input into "how" the disclosure happened, only "when".

▲

tptacek 2 days ago | parent | prev [-]

There is no basic idea of "responsible disclosure". The term was literally coined so that vendors could call researchers "irresponsible" when they didn't do what the vendors asked. Sometimes immediate disclosure is warranted!

▲

Dylan16807 2 days ago | parent [-]

I get it, you don't like that term.

But the idea of releasing after a fixed delay is fine. That idea should have a name.

We shouldn't imply that releasing after a delay and giving the vendor power over it are the same thing. They should not be lumped together under "coordinated disclosure".

▲

tptacek 2 days ago | parent [-]

It does have a name. The name is "coordinated disclosure". Coordinated disclosure isn't an absolute good; it often is, and the name is descriptive of the goal.

"Coordinated disclosure" very specifically does not mean "giving the vendor power over it".

▲

Dylan16807 2 days ago | parent [-]

Coordinated disclosure is a terrible term to use when there is no coordination of the disclosure!!

It should not be what we call "Here's a bug report, by the way I'm posting publicly in 90 days."

▲

tptacek 2 days ago | parent [-]

This is not an interesting debate. There are two terms in common use. I didn't make either of them up. One is coercive and Orwellian; the other, according to you, is imprecise. I'll live with the imprecision.

If you want to call a disclosure "irresponsible", be prepared to litigate based on the facts of that particular case; there are very few universal ethical rules of disclosure, and those few are only rarely broken in blog posts.

▲

Dylan16807 2 days ago | parent [-]

Let's use neither term in some situations then.

It's not just "imprecise" when the term claims exactly one thing and that thing didn't happen.

If people start referring to any non-immediate disclosure as "coordinated", that causes the same kind of bad effect you were worried about. People get pressured to coordinate because they think most researchers are always coordinating. I don't want that to happen either.

I would never say "irresponsible" just because of timing. You're right that "responsible" is a mess. But "coordinated" if misused also is a mess and also gets coercive.

▲

akerl_ 2 days ago | parent [-]

You've picked a really weird hill to die on here. Coordinated disclosure exists and means what we're describing it to mean: a disclosure where the researcher attempts to reach out to the vendor to remediate prior to publication.

That you've latched on to a specific opinion about what "coordination" means that excludes that behavior doesn't change how the term works in the security field, what it means, or whether or not it's preferable to "responsible disclosure" to describe that set of actions.

▲

Dylan16807 2 days ago | parent [-]

> You've picked a really weird hill to die on here.

The original objection is only about implications. My hill is similar in size and shape, about implications.

> Coordinated disclosure exists and means what we're describing it to mean: a disclosure where the researcher attempts to reach out to the vendor to remediate prior to publication.

> That you've latched on to a specific opinion about what "coordination" means that excludes that behavior doesn't change how the term works in the security field, what it means, or whether or not it's preferable to "responsible disclosure" to describe that set of actions.

Responsible disclosure also exists and means what we're describing etc.

In practice both terms are treated as basically the same. If we only cared about what already exists and is roughly correct, then both sides of this conversation would be wrong. Both sides are latching onto a specific opinion about what a word means, one side "responsible" the other side "coordinated". So unless you're calling me and tptacek wrong to care, you need a better reason than this.

▲

akerl_ 2 days ago | parent [-]

The original objection was about branding: the term "responsible disclosure" was specifically coined by entities that wanted to frame involving the vendor prior to disclosure as good, and disclosing immediately to the public as bad. We shouldn't use it, because that framing is incorrct.

"Coordinated disclosure" doesn't have any of that. It means "You gave the developer information in advance so that they could prepare/remediate/etc". Which is what it means to coordinate. If I call you up and say "Hey Dylan, I'm going to be at the bar in an hour if you want to grab drinks", I'm coordinating. If I just turn up at the bar and start drinking without contacting you, I am not coordinating.

We don't need to invent another bag of terms for the varying ways that you can respond to my message, because the primary party that matters when we're talking about disclosure methodology is the person releasing the disclosure.

	▲	Dylan16807 a day ago \| parent [-]
		It's not a friendly invite that could turn into doing a thing together. "I'm going to do something you probably don't like in this many days, by myself." is not coordinating. It's too one-sided. Replace going to the bar with telling me you're going to the grocery store, with no expectation that if I show up you'll talk to me.