Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> but the white-hat thing to do is give them notice

That's why you _shouldn't_ do it that way.

> Please consider doing this the proper way

"whitehat" != "proper".



While, yeah, I'm in the security industry, I agree that the "whitehat way" isn't always the "proper" way.

That said, there is an easy way to compromise on this one, and is the way I generally go about disclosure:

1.) Email security contact with vulnerability, announce that you will be releasing information in 30 days.

2.) 30 days later, release the information.

If a month isn't enough time to apply a fix (I do 60 days if it's a particularly complex issue), then the organization pretty much doesn't care.

I don't support responsible disclosure because it's "whitehat approved," nor do I do it because I particularly care about the vendors themselves.

I'm a proponent of giving the vendor a chance because of all the sysadmins that would suddenly have an 0day on their hands and be forced into the difficult position of either:

(1) shutting down the effected service

(2) hoping they just don't get targeted, which is unlikely

(3) trying to release a patch themselves.

That is a shitty position to put people, in my opinion.

Daeken, I've chatted with you in #startups once or twice (as 'dshaw'), and I think you're a genuinely cool guy. This research is awesome, but I still think you should give vendors a chance. Assuming that they already know about the vulnerability might actually be giving them too much credit... they did create the issue, after all.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: