Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram Live Sex ThePornDude
Home Artists Posts Import Register

Responsible disclosure (Patreon)

Published:
2017-10-25 15:00:02
Imported:
2022-07

Content

How long should a security researcher wait after disclosing a vulnerability to a company before they release the information to the public?

Why?

Comments

Robb Twomey Dunphy

I'd go with depends. Ideally though 30-60 days to give the company time to look into it and try to patch it.

Anonymous

To me, it goes without saying that they shouldn't wait at all, but I would be interested in the motivation for the other options.

Anonymous

The determining factors come down to: How widespread is the vulnerability and how many individuals does it affect, how many people may already be impacted, and how sensitive is the information/data that the vulnerability exposes? Like EquaFax & Yahoo, what harm could come from withholding the information or disclosing it?

Anonymous

30 days. That gives the company enough time to fix the problem and get a patch out, but not so much time that they feel like they can ignore it. In most cases I feel that immediate public disclosure of a vulnerability by a researcher without giving the company involved at least a chance to patch it is, quite frankly, irresponsible.

Anonymous

I said it depends, but I also feel that there should be a controlled payment for the delay.... Kinda like a reverse ransom. Congress can say something like 1/10th the current cost of an Oz of gold per day or something...

Anonymous

+1 for depends. I have held back on issues within vendor software for over a year due to the potential impact of releasing that information.

Anonymous

It depends on the vulnerability but more on the company. If the company isn't forthcoming with a patch then immediate disclosure to allow consumers to protect themselves asap. If a patch is coming then give them time to release it before disclosure but in all cases no more than 30-60 days.

Anonymous

My boss would sack my ass if I held knowledge on vulnerabilities and didn't notify them. It is procedure for my company's security team to first, declare any threats to the team leader and discuss amongst ourselves for a resolve to the matter. If we fail to do so, 30 days max, until we have no option other than to disclose information with the consumers, usually we've fixed it before then and a patch is released before any information needs to be made public.

Anonymous

They should not wait at all. The researcher should document the exposure to their fullest ability and then protect themselves. It's an unfortunate reality in the business world but the bottom line still trumps good security policy. Many moons ago I did the equivalent in the mainframe world only to watch my report shredded and I was threatened with a lawsuit which would bury me under the company if what I disclosed went public. Did they address the exposures? No, they did nothing except hire another security person to watch me. My guess is the same thing happened at Equifax except in that case the breach hit the streets before they could contain it.