1. 12

  2. 9

    Wow, that issue reporter is a dick. Responsible disclosure is a thing.

    1. 5

      As someone who’s been in the information security industry for decades, I’m always amazed by two things:

      1. Some people know about responsible disclosure but don’t practice it.
      2. Some vendors demand responsible disclosure, never respond or fix the problem, and then get upset when the vuln is publicly disclosed 30-90 days later (I’ve been threatened with lawsuits before for that sort of thing).

      I can forgive people who don’t know about responsible disclosure, but I’m still surprised by the people who doubt its merits.

      1. 2

        Completely agree.

        1. 6

          I believe it gets the point across researchers’ that either you disclose serious vulnerabilities carefully or you don’t get the recognition from disclosing them.

          Granted, I still find it a little childish and might cause researchers who don’t care about responsible disclosure to leave memcached unpatched (I’m split on whether I’d rather have vulns disclosed irresponsibly or never disclosed at all), but I guess normando was on the heat of the incident and trying to get this fixed ASAP.

          1. 2

            I’m totally OK with that minor slap back to be totally honest.

          2. 2

            Unpopular opinion puffin meme: Full disclosure is the only form of “responsible” disclosure: https://git-01.md.hardenedbsd.org/shawn.webb/articles/src/branch/master/infosec/Vulnerabilities/2019-01-08_Disclosure/article.md

            1. 2

              Thank you for sharing this, I think it does make a strong argument for ‘full disclosure’ that I had never considered.

            2. 1

              Honestly I don’t find that helpful.

              I personally think that responsible disclosure is preferrable to immediate disclosure. But looking at the bigger picture:Aany disclosure is better than no disclosure, yet people doing no disclosure never get that amount of criticism that people not following the procedures some people like get.

            3. 3

              UPDATE: this has been fixed in release 1.6.2 (see this comment)

              1. 0

                That’s why I’m rewriting memcached server in Rust :)