Responsible Disclosure — 16 Opinions

An anonymous reader writes, "Disclosure. Just a word, but in the security field it is the root of progress, sharing knowledge and getting bugs fixed. SecurityFocus published an interesting collection of quotes about the best disclosure processes. The article features 11 big vendors, 2 buyers of vulnerabilities, and 3 independent researchers. What emerges is a subtle picture of the way vendors and researchers differ over how much elapsed time constitutes 'responsible.' Whereas vendors ask for unlimited patience, independent researchers look for a real commitment to develop a patch in a short time. Nice read." Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."

Wikipedia

[adavies42]

Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."

It does now.

If it involves Microsoft....

[Tanuki64]

...the decision is easy. Publish the bugs after five days. This should be enough. They proved they can deliver patches after three days.

Re:If I were Microsoft

[SensitiveMale]

"If you discover a vlunerability and report it only to us, when we eventually release the patch, we will give you credit for discovering it (what researchers really want), and we will give you $10,000.

$10,000 per bug would bankrupt microsoft.

Re:5 days with MS?!

[Opportunist]

Well, I certainly wouldn't want to install anything that comes out of MS after only 5 days. History tells us that the consumer-related bugfixes take at least 30 days, only industry-benefitting fixes come out over night.