| ▲ | lambda 6 hours ago |
| If they want to be seen as responsible rather than opportunistic, then yeah, they should do a proper coordinated disclosure. Sure, they have no legal obligation to disclose, but we all also have no legal obligation to buy their services. Blacklisting bad actors like this is the right move to discourage this kind of behavior. |
|
| ▲ | john_strinlai 3 hours ago | parent | next [-] |
| >they should do a proper coordinated disclosure. they did a proper coordinated disclosure, following the industry standard 90+30 process. that is why the exploit dropped 30 days after the patch landed. the kernel team should have communicated with their downstream about the importance of the patch. that is the kernel security team's responsibility -- and they are much better positioned to do that than crossing your fingers and hoping every reporter will contact every distro every single time there is a vulnerability. there are very good reasons disclosure works this way, backed by a couple of decades of debate about it. |
|
| ▲ | selectively 6 hours ago | parent | prev [-] |
| Who cares about how you are seen when you are selling 0day for big bucks? The bad actor makes more money than the 'legitimate' one without breaking any law. Punishing someone who didn't alert distros despite a patch being available encourages the company to simply find flaws and sell them for profit - it pays more to begin with. |
| |
| ▲ | _yttw 6 hours ago | parent | next [-] | | If they want to take advantage of disclosure for marketing, they're either going to need to accept the norms around responsible disclosure, or they're going to need to accept how shirking those norms will come off. That's life in society. Sometimes it's annoying and sometimes it doesn't feel rational, but these norms have been negotiated throughout the history of our industry and are the way they are for reasons good and bad. I just don't see the point in complaining about how shirking the norms of your industry will make you look irresponsible. I don't really care that they could have decided to sell the vulnerability instead. It isn't material. | | |
| ▲ | tptacek 5 hours ago | parent | next [-] | | It is absolutely not true that viable commercial vulnerability labs need to "accept the norms around responsible disclosure". There are no such norms. "Responsible disclosure" is an Orwellian term cooked up between @Stake and Microsoft and other large vendors to coerce researchers into synchronizing with vendor release schedules. It was fantastically successful at that, and it's worth pushing back on at every opportunity. Tavis Ormandy dropped Zenbleed right onto Twitter. He's doing fine. You can blacklist him if you want; I imagine he's not going to notice. | | |
| ▲ | SCHiM 5 hours ago | parent | next [-] | | Microsoft's policy is: "if you contact us with a vulnerability, you automatically agree to the terms of our responsible disclosure policy", which includes waiting 30 days after patch was created, and says nothing about how long that process takes. There is actually no way to give them a friendly heads up, and then do your own thing. The only way not to be bound is by not sending them any notification at all... | | |
| ▲ | prmoustache 2 hours ago | parent | next [-] | | Since no contract is signed, this is just pure fantasy from your part. | |
| ▲ | leni536 4 hours ago | parent | prev [-] | | I wonder if "if you contact us... you automatically agree" stands in court. That's just ridiculous. | | |
| |
| ▲ | _yttw 5 hours ago | parent | prev [-] | | You're right, they don't need to. They have an alternative, to accept what people say or think about them in response. That's what I said. | | |
| ▲ | expedition32 18 minutes ago | parent [-] | | So how do we feel about Linux distributors who have their heads up their asses and sat on their hands for 30 days? |
|
| |
| ▲ | selectively 6 hours ago | parent | prev [-] | | Those norms do not exist. Those are people asking companies to do stuff to benefit the person complaining for free, and many companies will not do that. | | |
| ▲ | _yttw 6 hours ago | parent [-] | | It seems to me you're unaware of them, but there are strong norms around disclosure. They've been discussed for decades. It is the expectation that vendors would be notified in a scenario like this. | | |
| ▲ | selectively 5 hours ago | parent [-] | | No, there are users who want those to be norms. Qualified researchers happily sell substantive vulns to people who pay (Governments/Cellebrite and companies like that) enough to quell any complaint. | | |
| ▲ | _yttw 5 hours ago | parent [-] | | Which is again, irrelevant to the question of how disclosure works and what expectations there are around it because that is not disclosure and is not what was being discussed. |
|
|
|
| |
| ▲ | dirasieb 5 hours ago | parent | prev [-] | | it’s called building and preserving a high trust society, you wouldn’t understand | | |
| ▲ | DaSHacka 2 hours ago | parent [-] | | How does someone being incentivized to sell a vulnerability to a private organization over disclosing it publicly preserve a "high trust society"? Do you mean in the context of a "deceptively high-trust society"? Those private actors aren't planning to sit around and hold onto these exploits they've horded forevermore, they're obviously paying for them so they can one day use them. |
|
|
