Comment by SkyBelow
4 hours ago
>responsibly disclosed
Isn't this a double plus good phrase? What makes this more responsible? Reasoning about first order effects of different disclosure models? But what if someone uses higher order reasoning and critical thinking to reach a conclusion that other disclosure models are better for the average user and the long term health of the industry, even if they are worse in any individual case. A difference in the security culture incentivized by different disclosure patterns. Why does this one win the name of responsible while other alternatives, which have never been proven to be worse, are automatically marked as irresponsible?
Reminds me a bit of the concept of identity theft, as a way to say that even though the bank (or other creditor) was the one who had money taken from them, it is actually the random person not involved in the transaction who is the victim and has to hold the debt until the issue is resolved.
Could you elaborate on what other disclosure models you're referring to? I can't imagine something being "more responsible" for the public than privately notifying the owning party to give them time to fix the issue, before notifying the rest of the world (including malicious actors) about it.
It's a security industry term. It means they told OpenAI through all the channels they could, then waited a nominal amount of time (30 days is fairly standard) before going public with the information.
The other side would be irresponsible disclosure. Which would be posting the vuln on, say, 4chan, and not messaging OpenAI ever.