upvote

points

by semiquaver19 hours ago |
comments
upvoteby happyopossum19 hours ago|
next
[-]
No, nor can I point to a written policy that states one should cover one’s mouth when they cough.

Everyone involved here failed to do the right thing, and hiding behind the lack of written words is weak sauce.

reply
upvoteby anikom1519 hours ago|
prev|
[-]
The tenets of decency don’t need to be written down.
reply
upvoteby tob_scott_a18 hours ago|
parent|
[-]
If you can't write it down, why would you expect it to be universal and enforceable? Different cultures exist and have different opinions on what "decency' means, after all.

A security researcher's ethical obligations are to protect users over vendors (barring any contractual agreement in place). From what has been discussed in this thread, they meet that bar.

Sure, they could have gone the extra mile to ensure the distros were in a good place to patch before they published the exploit. That's a kindness you can wish for, but don't disparage them for not going that extra mile. It's a bonus.

It's also possible that it simply didn't occur to them to do so this time. There's certainly lessons to be learned either way. I don't know that the right lessons will emerge from hostility.

reply
upvoteby Quarrelsome18 hours ago|
parent|
next
[-]
> If you can't write it down, why would you expect it to be universal and enforceable?

and this is the problem. It used to be the case that if you were smart enough to find an exploit you were also smart enough to realise what would happen if you irresponsibly disclosed it. I guess these tools have made that pattern no longer apply.

reply
upvoteby true_religion18 hours ago|
parent|
[-]
From my point of view, they told the kernel security team which is in charge of fixing this. If it’s important for them to tell other people, then it should’ve been written down and further reiterated when they made their report.

The skills to detect code exploits is not the same as the skills to navigate an informal org chart to the satisfaction of an amorphous audience if end users (i.e. us on HN).

That said… as they are a company that supposedly specializes in this field, and is trying to sell a product, I do believe they should do better. Right now, I don’t have much confidence in their product.

reply
upvoteby scragz18 hours ago|
parent|
prev|
next
[-]
different cultures have different views on disclosing vulnerabilities to distros before the public?
reply
upvoteby embedding-shape18 hours ago|
parent|
next
[-]
Yes :) The blackhatter would obviously sit on it until they can sell it or use it, the whitehatter collaborate the kernel and distros to patch, and the greyhatter argues on HN whether the latest *fail was responsible enough or not.
reply
upvoteby sunshowers16 hours ago|
parent|
prev|
[-]
Yes? "Different cultures" doesn't just mean different countries; there are many cultures within infosec.
reply
upvoteby anikom1518 hours ago|
parent|
prev|
[-]
There is little difference in culture here. Nearly all open source work is done in English.
reply