| ▲ | tptacek 5 hours ago | ||||||||||||||||||||||
It is absolutely not true that viable commercial vulnerability labs need to "accept the norms around responsible disclosure". There are no such norms. "Responsible disclosure" is an Orwellian term cooked up between @Stake and Microsoft and other large vendors to coerce researchers into synchronizing with vendor release schedules. It was fantastically successful at that, and it's worth pushing back on at every opportunity. Tavis Ormandy dropped Zenbleed right onto Twitter. He's doing fine. You can blacklist him if you want; I imagine he's not going to notice. | |||||||||||||||||||||||
| ▲ | SCHiM 5 hours ago | parent | next [-] | ||||||||||||||||||||||
Microsoft's policy is: "if you contact us with a vulnerability, you automatically agree to the terms of our responsible disclosure policy", which includes waiting 30 days after patch was created, and says nothing about how long that process takes. There is actually no way to give them a friendly heads up, and then do your own thing. The only way not to be bound is by not sending them any notification at all... | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | _yttw 5 hours ago | parent | prev [-] | ||||||||||||||||||||||
You're right, they don't need to. They have an alternative, to accept what people say or think about them in response. That's what I said. | |||||||||||||||||||||||
| |||||||||||||||||||||||