
Hyenas of the Security Industry - randomwalker
http://seclists.org/dailydave/2010/q2/58
======
jawn
Another round of navel gazing and arguing over the best way to self-promote
from the security industry talking heads? Color me shocked.

More seriously, some people disclose privately, some people disclose publicly,
others don't disclose. What value does a standardized take on disclosure add
to the security industry?

------
mcantelon
Vendors don't want the bother of dealing with vulnerbilities and are unlikely
to voluntarily pay those who discover them. It is up to researchers to use
leverage to induce vendors to take responsibility for their oversights.
Researchers should make the pain of vulnerbilities such that, due to public
embarassment and resulting loss of sales, vendors are motivated to compensate.

------
alecco
tptaceck?

~~~
tptacek
Yeah, this mail is a big deal. Lots of people talking about it.

I like lcamtuf's take on it best:

[http://lcamtuf.blogspot.com/2010/06/not-disclosure-debate-
ag...](http://lcamtuf.blogspot.com/2010/06/not-disclosure-debate-again.html)

~~~
alecco
Yup.

    
    
      > Nobody in this debate is particularly forthcoming (Spengler
      > included, as much as I enjoyed his post), and no solution
      > is perfect. Only one of these groups has PR departments, though.
    

Also Spanglers response on the comments is important:

    
    
      > I commented specifically on the 'de-evolution' of "responsible
      > disclosure" into something where it's deemed irresponsible
      > if a researcher doesn't allow a vendor to sit on a vulnerability
      > for as long as they feel like.

