
What Can Happen in the Course of Vulnerability Disclosure - edwinjm
http://www.insinuator.net/2015/09/sending-mixed-signals-what-can-happen-in-the-course-of-vulnerability-disclosure/
======
dizzyviolet
So, just immediately publish my research next time instead? Got it.

------
kiliancs
Earlier discussion today:
[https://news.ycombinator.com/item?id=10204720](https://news.ycombinator.com/item?id=10204720)

------
MichaelGG
This just makes it more likely to drop info without involving vendors. Why
expose yourself to this?

~~~
tedunangst
Indeed, although there is some risk they'll come after you for trade secrets
or espionage or copyright or whatever. If you can find out where the line is
beforehand, maybe you won't cross it. It seems they were heading towards
agreement, with only a few things deemed too sensitive, before it went off the
rails.

~~~
jessaustin
It seems likely that there was good-faith negotiation between the researchers
and some reasonable people at FireEye. Then some dumbass executive (general
counsel, perhaps?) got wind of the proceedings and decided to blow shit up.

~~~
tedunangst
That's not surprising. Being nice can come back to bite you if the other party
turns out to be not nice.

Alice says "hey, we'd like if you toned it down a bit, but otherwise
appreciate your research. Good luck with your presentation." Bob then releases
all of Alice's source code in his presentation. Alice sues bob, but oops, she
said "good luck." No dice.

Independent of whatever is "right" or "just" or "reasonable", there are more
downsides and potential liabilities to saying "yes" than saying "no".

