- From: Livingood, Jason <Jason_Livingood@comcast.com>
- Date: Thu, 2 Mar 2017 22:51:59 +0000
- To: Mark Watson <watsonm@netflix.com>
- CC: "public-security-disclosure@w3.org" <public-security-disclosure@w3.org>
- Message-ID: <9AFD4008-175A-4711-AF7A-26B2E6C6B4B4@cable.comcast.com>
“full” or “responsible” seem like unnecessary qualifiers on disclosure that will end up being too much the focus of debate. I like that the current proposal simply sticks to “disclosure” by itself. Jason On 3/2/17, 11:41 AM, "Mark Watson" <watsonm@netflix.com<mailto:watsonm@netflix.com>> wrote: Rich, There's obviously scope for debate about the best approach in any given case, and you make an eloquent argument for one approach. However, I think what is being said here is that for the case where a security researcher choose the "responsible disclosure" path: (1) It it better that companies have policies about this, rather than no policies, and (2) We can write guidelines that can help companies improve those policies I actually don't think the W3C should step into the debate over whether "full disclosure" or "responsible disclosure" (for want of better terms) is "more responsible" - or at least not as part of this activity - not least because there is a case by case judgement to be made and I agree with your assertion that the security researchers in question are best placed to make that judgement. Perhaps the proposed guidelines should be clearer on that point ? ...Mark On Thu, Mar 2, 2017 at 4:21 AM, Rich Kulawiec <rsk@gsp.org<mailto:rsk@gsp.org>> wrote: On Tue, Feb 28, 2017 at 04:17:31PM -0500, Philippe Le H??garet wrote: > I don't think the draft is disagreeing with this statement. It proposes a > time period "(usually not to exceed 90 days)" before full disclosure can be > published, attempting to find a balance between existing regulations and > researchers needs. The draft *sharply* disgrees with my statement. I'm advocating immediate full disclosure (with no prior notification to anyone) as the default approach -- with an allowance for the very few edge cases in which this would cause substantial damage to the privacy/security of third parties, that judgment to be made by the people best-positioned to make it: security researchers. (It's worth noting that all security researchers worldwide combined could not do more damage to the privacy/security of third parties in a year -- even if we worked overtime -- than many vendors/operations do in a day. Example: overnight, Yahoo announced a THIRD massive data breach, no doubt yet another unintended consequence of their decision to deliberately undercut their own security team.) > It is actually meant as a coordinated disclosure template. It doesn't use > the term "responsible disclosure" and doesn't attempt to push to shift > responsibilities around. I'm well aware that the draft doesn't use that term, however it clearly articulates an approach that's generally called "responsible disclosure" as a term of art by participants in the security field. I quoted it throughout my message to reflect my view that "responsible disclosure" is actually very irresponsible: that is, this approach in practice is precisely the opposite of what responsible researchers should do. ---rsk
Received on Thursday, 2 March 2017 23:57:16 UTC