
GitHub bans full disclosure - ryanlol
https://twitter.com/hackerfantastic/status/1076376641113190400
======
bdcravens
This title draws a conclusion that the tweet never states. They pulled the
repo because it disclosed a Microsoft 0-day vulnerability (and Github is owned
by Microsoft, so if you published a Github vulnerability, it'd be the same
result I expect). I didn't see anywhere that Github has a policy of "banning
full disclosure". I suspect mods should change title.

------
rasz
I wonder if its the same 0day Microsoft refused to pay for after responsible
disclosure, or a new one.

------
heyjudy
Upon discovering a 0day, there's a number of ethically-variable choices:

\- monetize it, which leads to it's unknown use by those of means for good,
bad and ambiguous purposes

\- keep it a secret for personal ability

\- do nothing and forget about it

\- drop it to the world immediately, leaving millions vulnerable while vendors
scramble to do a not so thorough job fixing it

\- report it discretely to the vendor with a reasonable disclosure timeline
that aims to work with them to fix it in a timely fashion

The last is the most ethical, but I can understand why some would sell remote
exploits for large piles of cash. Dropping 0day's is like setting a forest
fire and hoping the fire department can put it out before it reaches people's
homes; it's unethical because it's a power trip of unnecessarily harming many
people just because you can and then blaming them for one's own, preventable,
harm-causing actions.

~~~
rasz
You can also 'report it discretely to the vendor', dont even get mentioned in
the CVE and refused a bounty, then drop the PoC and all of a sudden you are
the bad guy apparently.

