| ▲ | ori_b 3 hours ago | ||||||||||||||||||||||||||||||||||||||||
Really? It seems very odd to not check in on the status of the fixes, even if it's technically possible to pass the blame to other people. Even if the only purpose of looking at the status to make yourself look good in marketing materials, it's surprising that it didn't happen. | |||||||||||||||||||||||||||||||||||||||||
| ▲ | 9question1 2 hours ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||
`it's technically possible to pass the blame to other people` presupposes that the blame belongs to the reporter unless effort is taken to "shift" it. This is just an inaccurate worldview as many people have pointed out clearly in this discussion. If there's a vulnerability in software the blame lies with people who wrote and maintain the software, not someone who finds and discloses a vulnerability. The person who should `check in on the status of the fixes` is the person who owns the thing being fixed, which is very much the kernel and distro maintainers and not the security researcher. It is you who are willfully shifting blame to an innocent party | |||||||||||||||||||||||||||||||||||||||||
| ▲ | Joker_vD 2 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||
One of the reasons this unavoidable deadline was invented, is that the alternative is that one company (or all of them) can simply decide to ignore the vuln report, and then the vulnerability will stay forever undisclosed and forever out there in the wild. And prisoner's dilemma suggests that most companies would chose "do nothing" in this scenario: they don't have to do anything, and if the vuln stays undisclosed, it probably won't be exploited anyhow. Win-win! | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||