Hacker News new | comments | show | ask | jobs | submit login

Don't we have a good idea how they would have responded from how they've actually responded? It took four months and a huge public backlash before they acquiesced to demands for replacements.[1]

[1] http://www.forbes.com/sites/andygreenberg/2012/12/06/lock-fi...

How they responded after public disclosure says little about how they would have responded to notification with a deadline for public disclosure.

I understand the various incentives for Onity, and I think a great incentive for them is, given six months to address the issue, knowing it'll be made public, to take at least some proactive steps such as notifying large customers or being ready upon public disclosure with a mitigation plan.

His whole blog entry is a lot of handwaving to cover up the fact that he never even gave them a chance to do something anything like the right thing.

He makes an important point though: security researchers have been used by vendors as part of trying to go through the traditional process of responsible disclosure. It could easily come off as blackmail[1]. Simply disclosing to the public avoids that possibility, because the researcher was clearly not trying to personally get something from the vendor.

That being said, I think this kind of thing should be covered by whistleblower protection laws (I don't know if it's ever been tested)... although it seems those are only enforced when it's convenient.

So while I think he may have reached the right conclusion, I don't think it was for the right reasons. If sufficient protections for disclosers are in place, this should be a relative non-issue (though it makes sense to adjust the disclosure window based on the ease and risk of the vulnerability in order to apply pressure for an expedited fix)

[1] Given there's no payout for the researcher other than having the vulnerability fixed, it is conceivably not too hard to defend against. That doesn't change the fact that they can be sued, which is expensive, time-consuming, and stressful.

The best protection for the discloser is simply to do so anonymously, which shouldn't be difficult for someone like this.

Alternately, do so 'legal anonymously', perhaps by the EFF approaching the company and saying "we have in our possession information on a security vulnerability in your product. We want to give you information on it. In six months this information will be made public. We ask for and want no compensation or consideration at all."

That's it. There exist methods to do this safely; Daeken could have done it, and didn't.

No, the EFF doesn't offer this service, and given the volume of vulnerabilities disclosed, it would be a huge waste of their resources.

I'm not paying a lawyer because you have broken software that I had nothing to do with making.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact