Another round of navel gazing and arguing over the best way to self-promote from the security industry talking heads? Color me shocked.
More seriously, some people disclose privately, some people disclose publicly, others don't disclose. What value does a standardized take on disclosure add to the security industry?
Vendors don't want the bother of dealing with vulnerbilities and are unlikely to voluntarily pay those who discover them. It is up to researchers to use leverage to induce vendors to take responsibility for their oversights. Researchers should make the pain of vulnerbilities such that, due to public embarassment and resulting loss of sales, vendors are motivated to compensate.
> Nobody in this debate is particularly forthcoming (Spengler
> included, as much as I enjoyed his post), and no solution
> is perfect. Only one of these groups has PR departments, though.
Also Spanglers response on the comments is important:
> I commented specifically on the 'de-evolution' of "responsible
> disclosure" into something where it's deemed irresponsible
> if a researcher doesn't allow a vendor to sit on a vulnerability
> for as long as they feel like.
More seriously, some people disclose privately, some people disclose publicly, others don't disclose. What value does a standardized take on disclosure add to the security industry?