Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Let's say hypothetically someone found this hacked website, sent an e-mail to the site owners' security reporting contact, and after a year they hadn't taken any action.

Some would say a "responsible" disclosure which allows the danger to continue unabated for a year is a greater danger than a public disclosure, which would lead to the danger being fixed.



That is one hypothetical scenario, yes. Another hypothetical scenario is that as a result of responsible disclosure the site owners patch the hole and ensure customer data isn't publicly accessible before the vulnerability is public knowledge.

Seems reckless to me to not even _try_ responsible disclosure. You don't have to wait a year. But at least give a chance for the problem to be solved before you make it common knowledge.


Did I say hypothetically? Sorry, I meant to say exactly as happened [1]

:)

[1] https://news.ycombinator.com/item?id=40169334


Right, so that’s a dataset of 1. Are you suggesting responsible disclosure never works because of your one time experience?


Of course not. I agree that responsible disclosure works perhaps 10% of the time.

It's the 90% of the time, when it doesn't work, that's the problem.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: