Hacker News new | past | comments | ask | show | jobs | submit login

Forcing them to publicize would also force them to spend the resources to patch them. I'm sure many companies go through those 100 pages and throw out 50 as "wontfix."

Though, if you force them to publicize, you'd probably have to force them to conduct the audits, so they can't avoid the publicity/patching spend by keeping themselves in the dark.




> I'm sure many companies go through those 100 pages and throw out 50 as "wontfix."

I agree in principle, but it's not always that simple. Outside of the obvious "don't make your S3 buckets public", it's usually a combination of priority, cost, and compatibility. Years ago I ran a network inside the firewall of <Insert large company here>. They did constant vulnerability testing, and I had monthly meetings explaining what I was doing to mitigate all of the vulnerabilities that came up. Mitigation for some vulnerabilities meant rewriting decades old programs to run on a new OS/platform so we would harden around it the best we could while the work was done.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: