| ▲ | bigbadfeline 3 hours ago | |
> Researchers are under no obligation to engage in coordinated disclosure and are free to sell 0day for profit. Just fyi. Be glad it was disclosed at all. I'm so glad these so called "researchers" aren't totally evil, I'm so grateful they're only half evil, give them a lollipop. Whatever, the way they disclosed it isn't much different from no disclosure at all - the exploit would have been identified in the wild and fixed soon thereafter. "Researchers"... | ||
| ▲ | john_strinlai 3 hours ago | parent | next [-] | |
the way the disclosed it is the industry standard. think of the biggest security research teams you know (e.g. google), and they follow the same process. non-security people always seem to get up in arms about it, but there is very good reasons why the industry has landed on the process it has, which has been hashed out over a few decades. | ||
| ▲ | selectively 2 hours ago | parent | prev [-] | |
There are two options: 1. Status quo. Researchers are free to disclose to a vendor, free to sell vulns to legitimate companies, free to do full disclosure if they want. This situation benefits security. Researchers are able to pay their bills while also doing meaningful research into OSS projects that are unable to fund the kind of security audit they need. Harm reduction, of sorts. 2. Everyone is a bad actor. No one is going to do this work for free/for a bounty. Horrible flaws will be found and shared with ransomware gangs and the like. 0day will sell for a percentage of the ransom winnings. Researchers will live like kings, everyone else will suffer. Which do you prefer? | ||