[liberationtech] Can you confirm these are not best practices for handling disclosure?
Zak Rogoff
zak at fsf.org
Sun Feb 5 13:23:02 PST 2017
On 02/02/2017 07:30 PM, liberationtech-request at lists.stanford.edu wrote:
> Message: 14 Date: Thu, 2 Feb 2017 11:24:01 -0500 From: Rich Kulawiec
> <rsk at gsp.org> To: liberationtech <liberationtech at mailman.stanford.edu>
> Subject: Re: [liberationtech] Can you confirm these are not best
> practices for handling disclosure? Message-ID:
> <20170202162401.GA4295 at gsp.org> Content-Type: text/plain;
> charset=us-ascii On Mon, Jan 30, 2017 at 05:49:08PM -0500, Zak Rogoff
> wrote:
>> > Is anyone who's knowledgeable about disclosure policies able to take a
>> > look at it and share your thoughts?
>> >
>> > To me, it looks like it's not much of a protection for the researchers,
>> > because it's totally voluntary and apparently allows companies to ignore
>> > it if they make such arbitrary judgements as that the security
>> > researcher didn't give them a "reasonable" amount of time between
>> > private and public disclosure.
> You're correct. This policy is worthless, as are -- to a good first
> approximation -- all the "responsible disclosure" policies I've seen.
Thanks for your reply, Rich. It's a pity, though not surprising, that
this kind of policy is the norm.
How far afield from major software companies do you have to go to find
one with a policy about handling researchers that is actually ethical
and productive? What are some examples of better policies?
--
Zak Rogoff // Campaigns Manager
Free Software Foundation
More information about the liberationtech
mailing list