Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"Responsible disclosure" is a coercive term. It implies that it's irresponsible to do anything else. "Coordinated disclosure" is far better.

That said, coordinated disclosure is the neighborly thing to do, but it's by no means a moral obligation. It would be perfectly fine for the author to tweet about it, for example.



No moral obligation? I don't think many people would agree with you on that.

If you are actively poking around at someone's home and you find an unlocked window, you don't think there is a moral obligation to inform the owner of the security issue? No moral issues if you then find a group of hoodlums down the street and announce that house 123 has an unlocked window?

I can see if you were just driving by and saw the window open, you don't really have any obligation (unless you plan to announce it publicly) but if you are actively seeking out security flaws in someone else's property, not disclosing it to the owner and then announcing it or worse, selling it to potentially bad actors seems morally reprehensible.


This isn't equivalent to "If I leave my door unlocked..." scenarios. It's perfectly legal to register any .io name you want. You can't go poking around someone's house.

The situation is more analogous to discovering that a certain type of door offers no protection, even though it seems to lock. It's perfectly fine to tweet about that, regardless of how many people have that door. The blame lies on the company, not the messenger.


That would still be unethical. An ethical person would not commit acts which they know have the potential to cause harm to innocent people.

If you're a black hat and you don't give a shit about potential legal ramifications or any injury to anyone (partly because you fear no consequence), there's probably nothing unethical to you about fucking over a bunch of innocent people just so you can "spank" some douchebag management company into following best practices.

If you're a professional, or even a non-douchebag adult, who finds value in the ideal of protecting the innocent customers of a dangerously irresponsible corporation, you would want to work first toward protecting those individuals, and then focus on disciplining the corporation.


It represents a moral judgement that it is absolutely not okay (or perhaps: irresponsible) to screw over n+y people for the actions of n people.


This moral judgement is mistaken because its premise is false. The moral blame lies on the company that allowed the problem to happen, not the person calling attention to it. It's not at all the same as "if I leave my door unlocked..." type scenarios. It's perfectly legal to register .io's nameservers.


That's a cop out. If your actions reasonably cause harm to other people, regardless if those actions are "calling attention to" or actually pulling the trigger, that's a moral evil.

If someone goes around the town telling everyone that you leave your door unlocked, while they can't be legally held responsible, they're still morally responsible if someone goes in and steals your stuff armed with that knowledge.

Companies fixing their stuff before that happens is in everyone's best interests at the end of the day - hence responsible disclosure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: