[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure
- To: Gary Baribault <gary@xxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure
- From: Jordon Bedwell <envygeeks@xxxxxxxxx>
- Date: Fri, 13 Dec 2013 12:32:16 -0600
On Fri, Dec 13, 2013 at 12:15 PM, Gary Baribault <gary@xxxxxxxxxxxxx> wrote:
> Of course, all software companies would love for the disclosure to wait
> for the fix to be released, and often, if the delay is considered
> reasonable by the hacker in question who found the bug, then that's what
> happens. I think it's only in the case where the company considers the
> bug to be minor or non existent, and they are asking for a ridiculous
> delay that many hackers will say, 'tough luck I'm disclosing on xx' and
> he takes his chances that most of us agree with his decision. As Mikhail
> said, if the hacker came across the bug without any illegal means then
> he should be fine after the release (but IANAL).
To add, in cases where people do release security updates even if a
fix is pending it's most of the time not to do with the time line and
more to do with the fact that the entity with the problem are trying
to silence the "hacker" to prevent embarrassment. At least from what
I've noticed and experienced.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/