What people that complain about "irresponsible" full-disclosure seem to
forget is that these people who find security bugs are doing the developers
a favor merely by finding the bug and letting them know about it (either
directly, or indirectly by publicizing it so everyone knows about it)...
They're essentially working as unpaid QA testers or security analysts...
They are under absolutely NO obligation to treat the developers with any
level of deference, or to cut them any slack in getting a patch together
before going public, or even to notify them personally ahead of time at
all! And, it's utterly moronic to berate them for performing a task
which directly results in a more secure and stable product, simply because
you don't like HOW they chose to help you... Just be thankful they're
the ones finding and publicizing such bugs, rather than someone who is a
bit less scrupulous, and might instead keep such knowledge to themselves
and use it to quietly exploit your software instead... It's not full
disclosure that puts users at risk; it's lack of disclosure... And, this
modern trend toward "responsible" disclosure, and labelling anyone who
doesn't give the developers months of quiet time to secretly work on a
patch as bad guys barely a step above script-kiddies, really makes me gag...
All that quiet time is time that users of your software remain vulnerable
to a security hole which you are fully aware of... Who is "irresponsible"
now?? I'd much rather KNOW about the hole myself, so I can either patch it
my damn self, or stop using the app, or do something else to mitigate my
own risks, thank you very much... Not all of us want to rely on being
protected by the all-knowing software-gods, who obviously know better what
is good for us than we ourselves do... ;-/
(And, FTR, I'm a software developer myself... I've been writing Unix/C
code for over 15 years... But, I'm also a heavy user of software, and as
BOTH a user and developer, I see full-disclosure as nothing but a wonderful
thing which should always be encouraged, and I see any attempts at restraining
or limiting it under any guise of "responsibility" to be nothing but
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds