Comment by akerl_
4 years ago
> Generally in the security sphere we consider it the most ethical and responsible to give vendors plenty of time to patch vulnerabilities
Can you provide more context for this point? As somebody with some experience in infosec, I don’t think that’s actually so clear cut. There are people who believe coordinating with vendors is the right course, and people who believe embargoes compromise users’ ability to make safe choices. There are also people who think the right course depends on the individual vuln/system.
It's not clear-cut, at all. It'd be hard to defend any claim premised on a broad agreement in the field about how to handle disclosure.
In Vanhoef's case, though, he's bound by standards his university has for this stuff, not just his own personal preferences.
Absolutely, it was wrong for me to try and speak for everyone. In my own professional circle, this is what's accepted, but there are many who think otherwise, so my apologies.