Re: Public disclosure of discovered vulnerabilities

tqbf_at_pobox.com
Date: 05/15/05


Date: 15 May 2005 09:11:36 -0700


> Please stop mischaracterizing my position as "shooting the
> messenger". I advocated no such thing.

How can you avoid that charge? You're criticising people who do
pro-bono security analysis work, find incredibly valuable information,
and release it to the public free of charge.

Complaints about "irresponsible disclosure" are straightforward
examples of psychological transference. The researcher didn't CREATE
the problem. The researcher DOES have a moral responsibility to publish
the problem (which becomes clear when you contrast them with the
unscrupulous parties who find and then privately SELL vulnerability
details). From what authority do system administrators claim the right
to add further hurdles to this process?



Relevant Pages