- From: Rich Kulawiec <rsk@gsp.org>
- Date: Thu, 2 Mar 2017 07:21:44 -0500
- To: public-security-disclosure@w3.org
On Tue, Feb 28, 2017 at 04:17:31PM -0500, Philippe Le H??garet wrote: > I don't think the draft is disagreeing with this statement. It proposes a > time period "(usually not to exceed 90 days)" before full disclosure can be > published, attempting to find a balance between existing regulations and > researchers needs. The draft *sharply* disgrees with my statement. I'm advocating immediate full disclosure (with no prior notification to anyone) as the default approach -- with an allowance for the very few edge cases in which this would cause substantial damage to the privacy/security of third parties, that judgment to be made by the people best-positioned to make it: security researchers. (It's worth noting that all security researchers worldwide combined could not do more damage to the privacy/security of third parties in a year -- even if we worked overtime -- than many vendors/operations do in a day. Example: overnight, Yahoo announced a THIRD massive data breach, no doubt yet another unintended consequence of their decision to deliberately undercut their own security team.) > It is actually meant as a coordinated disclosure template. It doesn't use > the term "responsible disclosure" and doesn't attempt to push to shift > responsibilities around. I'm well aware that the draft doesn't use that term, however it clearly articulates an approach that's generally called "responsible disclosure" as a term of art by participants in the security field. I quoted it throughout my message to reflect my view that "responsible disclosure" is actually very irresponsible: that is, this approach in practice is precisely the opposite of what responsible researchers should do. ---rsk
Received on Thursday, 2 March 2017 12:22:46 UTC