Responsible disclosure is for researchers in it for more than the lulz. In practical terms, do you think there’s a nonzero chance Musk would give rewards or credit for the report?
I wouldn’t do that because I don’t want a felony. I could see some 16 year old working for their their chance at glory.
And I am not surprised some 16 years old doesn't care. I am more surprised HN ctowd doesn't seem to even mention it. 16 years old can learn, but only if there's a culture to teach them.
I think that’s confusing “is” with “ought”. We ought to teach the people around us to be responsible. If my team, or my kid, or my friends, or anyone else nearby told me they found something like this, I’d explain why they should report it through proper channels.
But I also understand why this would be an enormous temptation for mischief. Should they have reported it another way, ideally one that wouldn’t put them up for CFAA charges? Yeah! Am I the slightest bit surprised someone thought it’s be more fun to deface this one particular site with its especially crappy security? No, not at all!
(Also, “responsible disclosure” itself is hugely controversial. It’s most often used by corporations who’d prefer that the vuln is never, ever disclosed.)
Responsible disclosure is for researchers in it for more than the lulz. In practical terms, do you think there’s a nonzero chance Musk would give rewards or credit for the report?
I wouldn’t do that because I don’t want a felony. I could see some 16 year old working for their their chance at glory.
Responsible disclosure is not about rewards.
And I am not surprised some 16 years old doesn't care. I am more surprised HN ctowd doesn't seem to even mention it. 16 years old can learn, but only if there's a culture to teach them.
I think that’s confusing “is” with “ought”. We ought to teach the people around us to be responsible. If my team, or my kid, or my friends, or anyone else nearby told me they found something like this, I’d explain why they should report it through proper channels.
But I also understand why this would be an enormous temptation for mischief. Should they have reported it another way, ideally one that wouldn’t put them up for CFAA charges? Yeah! Am I the slightest bit surprised someone thought it’s be more fun to deface this one particular site with its especially crappy security? No, not at all!
(Also, “responsible disclosure” itself is hugely controversial. It’s most often used by corporations who’d prefer that the vuln is never, ever disclosed.)
1 reply →