Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tptacek 2 days ago

There is no basic idea of "responsible disclosure". The term was literally coined so that vendors could call researchers "irresponsible" when they didn't do what the vendors asked. Sometimes immediate disclosure is warranted!

Dylan16807 2 days ago | parent [-]

I get it, you don't like that term.

But the idea of releasing after a fixed delay is fine. That idea should have a name.

We shouldn't imply that releasing after a delay and giving the vendor power over it are the same thing. They should not be lumped together under "coordinated disclosure".

tptacek 2 days ago | parent [-]

It does have a name. The name is "coordinated disclosure". Coordinated disclosure isn't an absolute good; it often is, and the name is descriptive of the goal.

"Coordinated disclosure" very specifically does not mean "giving the vendor power over it".

Dylan16807 2 days ago | parent [-]

Coordinated disclosure is a terrible term to use when there is no coordination of the disclosure!!

It should not be what we call "Here's a bug report, by the way I'm posting publicly in 90 days."

tptacek 2 days ago | parent [-]

This is not an interesting debate. There are two terms in common use. I didn't make either of them up. One is coercive and Orwellian; the other, according to you, is imprecise. I'll live with the imprecision.

If you want to call a disclosure "irresponsible", be prepared to litigate based on the facts of that particular case; there are very few universal ethical rules of disclosure, and those few are only rarely broken in blog posts.

Dylan16807 2 days ago | parent [-]

Let's use neither term in some situations then.

It's not just "imprecise" when the term claims exactly one thing and that thing didn't happen.

If people start referring to any non-immediate disclosure as "coordinated", that causes the same kind of bad effect you were worried about. People get pressured to coordinate because they think most researchers are always coordinating. I don't want that to happen either.

I would never say "irresponsible" just because of timing. You're right that "responsible" is a mess. But "coordinated" if misused also is a mess and also gets coercive.

akerl_ 2 days ago | parent [-]

You've picked a really weird hill to die on here. Coordinated disclosure exists and means what we're describing it to mean: a disclosure where the researcher attempts to reach out to the vendor to remediate prior to publication.

That you've latched on to a specific opinion about what "coordination" means that excludes that behavior doesn't change how the term works in the security field, what it means, or whether or not it's preferable to "responsible disclosure" to describe that set of actions.

Dylan16807 2 days ago | parent [-]

> You've picked a really weird hill to die on here.

The original objection is only about implications. My hill is similar in size and shape, about implications.

> Coordinated disclosure exists and means what we're describing it to mean: a disclosure where the researcher attempts to reach out to the vendor to remediate prior to publication.

> That you've latched on to a specific opinion about what "coordination" means that excludes that behavior doesn't change how the term works in the security field, what it means, or whether or not it's preferable to "responsible disclosure" to describe that set of actions.

Responsible disclosure also exists and means what we're describing etc.

In practice both terms are treated as basically the same. If we only cared about what already exists and is roughly correct, then both sides of this conversation would be wrong. Both sides are latching onto a specific opinion about what a word means, one side "responsible" the other side "coordinated". So unless you're calling me and tptacek wrong to care, you need a better reason than this.

akerl_ a day ago | parent [-]

The original objection was about branding: the term "responsible disclosure" was specifically coined by entities that wanted to frame involving the vendor prior to disclosure as good, and disclosing immediately to the public as bad. We shouldn't use it, because that framing is incorrct.

"Coordinated disclosure" doesn't have any of that. It means "You gave the developer information in advance so that they could prepare/remediate/etc". Which is what it means to coordinate. If I call you up and say "Hey Dylan, I'm going to be at the bar in an hour if you want to grab drinks", I'm coordinating. If I just turn up at the bar and start drinking without contacting you, I am not coordinating.

We don't need to invent another bag of terms for the varying ways that you can respond to my message, because the primary party that matters when we're talking about disclosure methodology is the person releasing the disclosure.

Dylan16807 a day ago | parent [-]

It's not a friendly invite that could turn into doing a thing together. "I'm going to do something you probably don't like in this many days, by myself." is not coordinating. It's too one-sided.

Replace going to the bar with telling me you're going to the grocery store, with no expectation that if I show up you'll talk to me.