undefined | Better HN

0 pointsbusterarm2y ago0 comments

Full disclosure isn't something for _companies_ to do. It's what _researchers_ do. Full disclosure isn't compatible with the monetization incentives offered by companies. You're publishing in public and immediately.

I think you clearly do not understand what full disclosure is.

0 comments

2 comments · 1 top-level

jampekka2y ago· 1 in thread

My understanding of Full Disclosure is that researchers publish the vulnerability (and potentially exploit) publicly without coordinating with the software vendor. This contrasts with Coordinated Disclosure (sometimes "Responsible disclosure" in corporate propaganda) or No Disclosure (and potentially e.g. selling the exploit).

I admittedly used disclosure in a bit different sense for companies in that companies typically don't give out any (truthful) information they have if they aren't required by law. And they lie when profitable.

The symmetric action from a researcher is to sell the exploit to the highest bidder. Of course if the researcher wants to do other disclosures, that's fine too. But what I don't like is the double standard that researchers are scolded for being "unethical" but companies, by design, not caring about ethics at all is just fine and the way it should be.

busterarmOP2y ago

But that's exactly why as a researcher you should operate under Full Disclosure. Properly motivate the companies to do what is right and don't take on questions about financial motivations, etc.

j / k navigate · click thread line to collapse