Comment by flumpcakes
3 days ago
Did the author actually disclose this RCE or just open random PRs and claim there's an issue?
It doesn't appear like the author is acting in good faith, instead grandstanding in public because they feel superior.
3 days ago
Did the author actually disclose this RCE or just open random PRs and claim there's an issue?
It doesn't appear like the author is acting in good faith, instead grandstanding in public because they feel superior.
The author quite clearly outlines their reasoning for this in the article:
> Carrot Disclosure, dangling a metaphorical carrot in front of the vendor to incentivise change. The main idea is to only publish the (redacted) output of the exploit for a critical vulnerability, to showcase that the software is exploitable. Now the vendor has two choices: either perform a holistic audit of its software, fixing as many issues as possible in the hope of fixing the showcased vulnerability; or losing users who might not be happy running a known-vulnerable software. Users of this disclosure model are of course called Bugs Bunnies.
Seems like grandstanding bad faith to me. They didn't even bother to follow the established disclosure policy for this project because the author feels this quality of the code is so crap, so instead does this...
Maybe, but I can see why people don't want to deal with red tape to do someone a favour.
Once I tried to help an open source project with a bug and was rejected because I didn't agree to support the Ukraine, that all sexual orientations are equal, or whatever else the long winded contributor rules were.
The issue isn't that I don't support those things, it's more that it's like someone handing me a 3 page form to fill out for picking their keys up for them.
There also may be conventions on disclosure and exploits, but they're not based on the law or rules of society.