Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
semiquaver 6 hours ago

“One” would have thought? Can you point to a written policy that says that’s how it should be?

happyopossum 6 hours ago | parent | next [-]

No, nor can I point to a written policy that states one should cover one’s mouth when they cough.

Everyone involved here failed to do the right thing, and hiding behind the lack of written words is weak sauce.

anikom15 6 hours ago | parent | prev [-]

The tenets of decency don’t need to be written down.

tob_scott_a 6 hours ago | parent [-]

If you can't write it down, why would you expect it to be universal and enforceable? Different cultures exist and have different opinions on what "decency' means, after all.

A security researcher's ethical obligations are to protect users over vendors (barring any contractual agreement in place). From what has been discussed in this thread, they meet that bar.

Sure, they could have gone the extra mile to ensure the distros were in a good place to patch before they published the exploit. That's a kindness you can wish for, but don't disparage them for not going that extra mile. It's a bonus.

It's also possible that it simply didn't occur to them to do so this time. There's certainly lessons to be learned either way. I don't know that the right lessons will emerge from hostility.

Quarrelsome 6 hours ago | parent | next [-]

> If you can't write it down, why would you expect it to be universal and enforceable?

and this is the problem. It used to be the case that if you were smart enough to find an exploit you were also smart enough to realise what would happen if you irresponsibly disclosed it. I guess these tools have made that pattern no longer apply.

true_religion 6 hours ago | parent [-]

From my point of view, they told the kernel security team which is in charge of fixing this. If it’s important for them to tell other people, then it should’ve been written down and further reiterated when they made their report.

The skills to detect code exploits is not the same as the skills to navigate an informal org chart to the satisfaction of an amorphous audience if end users (i.e. us on HN).

That said… as they are a company that supposedly specializes in this field, and is trying to sell a product, I do believe they should do better. Right now, I don’t have much confidence in their product.

scragz 6 hours ago | parent | prev | next [-]

different cultures have different views on disclosing vulnerabilities to distros before the public?

embedding-shape 6 hours ago | parent | next [-]

Yes :) The blackhatter would obviously sit on it until they can sell it or use it, the whitehatter collaborate the kernel and distros to patch, and the greyhatter argues on HN whether the latest *fail was responsible enough or not.

sunshowers 3 hours ago | parent | prev [-]

Yes? "Different cultures" doesn't just mean different countries; there are many cultures within infosec.

anikom15 5 hours ago | parent | prev [-]

There is little difference in culture here. Nearly all open source work is done in English.