- From: Mark Watson <watsonm@netflix.com>
- Date: Thu, 2 Mar 2017 08:41:48 -0800
- To: Rich Kulawiec <rsk@gsp.org>
- Cc: public-security-disclosure@w3.org
- Message-ID: <CAEnTvdDmpbbJ80GgkCBHeGE4z7=KprqEKu=V5XCMv1dnHZytoA@mail.gmail.com>
Rich, There's obviously scope for debate about the best approach in any given case, and you make an eloquent argument for one approach. However, I think what is being said here is that *for the case where a security researcher choose the "responsible disclosure" path:* (1) It it better that companies have policies about this, rather than no policies, and (2) We can write guidelines that can help companies improve those policies I actually don't think the W3C should step into the debate over whether "full disclosure" or "responsible disclosure" (for want of better terms) is "more responsible" - or at least not as part of this activity - not least because there is a case by case judgement to be made and I agree with your assertion that the security researchers in question are best placed to make that judgement. Perhaps the proposed guidelines should be clearer on that point ? ...Mark On Thu, Mar 2, 2017 at 4:21 AM, Rich Kulawiec <rsk@gsp.org> wrote: > On Tue, Feb 28, 2017 at 04:17:31PM -0500, Philippe Le H??garet wrote: > > I don't think the draft is disagreeing with this statement. It proposes a > > time period "(usually not to exceed 90 days)" before full disclosure can > be > > published, attempting to find a balance between existing regulations and > > researchers needs. > > The draft *sharply* disgrees with my statement. I'm advocating immediate > full disclosure (with no prior notification to anyone) as the default > approach -- with an allowance for the very few edge cases in which this > would cause substantial damage to the privacy/security of third parties, > that judgment to be made by the people best-positioned to make it: > security researchers. > > (It's worth noting that all security researchers worldwide combined could > not do more damage to the privacy/security of third parties in a year -- > even if we worked overtime -- than many vendors/operations do in a day. > Example: overnight, Yahoo announced a THIRD massive data breach, no > doubt yet another unintended consequence of their decision to > deliberately undercut their own security team.) > > > It is actually meant as a coordinated disclosure template. It doesn't use > > the term "responsible disclosure" and doesn't attempt to push to shift > > responsibilities around. > > I'm well aware that the draft doesn't use that term, however it clearly > articulates an approach that's generally called "responsible disclosure" > as a term of art by participants in the security field. I quoted it > throughout my message to reflect my view that "responsible disclosure" > is actually very irresponsible: that is, this approach in practice is > precisely the opposite of what responsible researchers should do. > > ---rsk > >
Received on Thursday, 2 March 2017 17:46:27 UTC