← Back to context

Comment by kstrauser

7 days ago

Responsible disclosure is for researchers in it for more than the lulz. In practical terms, do you think there’s a nonzero chance Musk would give rewards or credit for the report?

I wouldn’t do that because I don’t want a felony. I could see some 16 year old working for their their chance at glory.

3 comments

kstrauser

Reply
smsm42  7 days ago

Responsible disclosure is not about rewards.

And I am not surprised some 16 years old doesn't care. I am more surprised HN ctowd doesn't seem to even mention it. 16 years old can learn, but only if there's a culture to teach them.

  • kstrauser  7 days ago

    I think that’s confusing “is” with “ought”. We ought to teach the people around us to be responsible. If my team, or my kid, or my friends, or anyone else nearby told me they found something like this, I’d explain why they should report it through proper channels.

    But I also understand why this would be an enormous temptation for mischief. Should they have reported it another way, ideally one that wouldn’t put them up for CFAA charges? Yeah! Am I the slightest bit surprised someone thought it’s be more fun to deface this one particular site with its especially crappy security? No, not at all!

    (Also, “responsible disclosure” itself is hugely controversial. It’s most often used by corporations who’d prefer that the vuln is never, ever disclosed.)

    • smsm42  4 days ago

      Sure, there's temptation. Just as goods being laid out on shelves in the store is a big temptation to steal them and not pay. Am I surprised that some people shoplift? No, but that doesn't make their behavior correct or commendable. And the proper response to learning that somebody steals from shops is "this is bad, you should feel bad about this and should stop doing it immediately" not "stupid store, how dare they not to lock things up properly!". Yes, this does not and will not prevent 100% of theft, because some people are sociopathic enough to not care about (or even enjoy) social disapproval, but it will make a society where theft is not encouraged, and for people who are not thieves it's better to live in such a society. In the same manner, it's better to live in a society where responsible disclosure is a norm, and to create this norm, it must be culturally enforced. It will not prevent sociopaths from violating it from time to time, but having the norm is better than not having it.

      > “responsible disclosure” itself is hugely controversial. It’s most often used by corporations who’d prefer that the vuln is never, ever disclosed.

      It is sometimes used like that, but it is nowhere near "most often". Most often, the responsible disclosure results in exactly what it is meant for - fixing the vulnerability and improving security without harming anyone. And supporting this as cultural norm would make such cases even more frequent.