undefined | Better HN

0 pointscheald11y ago0 comments

Metasploit does the same thing, and we've managed to not have the internet implode yet.

Yours is the standard argument against any form of disclosure. I'm not discounting it, because no disclosure has its merits, but responsible disclosure satisfies both an ethical imperative (you can't let people believe they're secure if you know otherwise) and provides pressure on vendors to fix their software, when the vendor might otherwise deem it not worth the time or money to fix the issue, which leaves their customers vulnerable.

The basic idea behind disclosure is "we might not be the first people to find this, and we definitely won't be the last, so let's remove all doubt and rob the bad guys of the element of surprise". Responsible disclosure is intended to permit responsible vendors to fix the issue before wide publication, but an uncooperative vendor doesn't mitigate the reality that the bug exists and will eventually be found by someone less benevolent.

0 comments

1 comments · 1 top-level

boracay11y ago

It's still just an excuse. Of course there's no liability in computing so no one actually have to come to terms with that.

j / k navigate · click thread line to collapse