Reply to post:

Windows 0-day pops up out of nowhere Twitter

Michael Wojcik Silver badge

Why did he just throw it out on Twitter and not report responsibly?

While responsible disclosure is certainly more common than it was, say, a decade ago (and much more common than when Rain Forest Puppy published the original RFPolicy back in, oh, 2000?), it's hardly unknown for people to just throw vulnerabilities out on Twitter or other media. This one just attracted some extra attention because it came with a PoC and is fairly serious.

But subscribe to VULN-DEV, for example, and you'll see plenty of potential 0-days flowing by as people discuss whether there's something exploitable in a failure they've run across.

Responsible disclosure has costs, even if they're mostly cognitive load and opportunity costs; that's one reason why many companies have bug bounties. And working with PSIRTs and other disclosure-handlers can be irritating. I'm on a PSIRT myself, and we put a lot of effort into being polite and receptive. But not everyone does. I've dealt with some PSIRT types who are abrasive and dismissive.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019