For what it’s worth, a lot of folks have stopped using the term responsible disclosure and are now talking about coordinated disclosure. A lot of companies think that ‘responsible’ means ‘tell them and give them an unbounded amount of time for a fix even if there are likely to be active exploits in the wild’.
I’m going to write it up soon, but the network stack on CHERIoT RTOS is designed so that even an attacker who gains arbitrary code execution in the TCP/IP stack can’t join a DDOS botnet. I really hope this will become the security baseline for IoT soon.
I’m aware. I also have no problem with that discussion that companies can have wrong ideas about responsible disclosure, and I’d like to say that responsibility goes both ways, and the company obviously also has to be responsible. (And delying a fix for indefinite amounts of times, or not collaborating with a researcher, isn’t responsible, and I don’t react kindly to it.)
But I also feel some people have problems with the term “responsible disclosure” for other reasons. (I.e. they don’t like the idea that it could be considered irresponsible to sell their 0days to whatever shady company pays them most for it.) I’m much less sympathetic to that direction of criticism.
For what it’s worth, a lot of folks have stopped using the term responsible disclosure and are now talking about coordinated disclosure. A lot of companies think that ‘responsible’ means ‘tell them and give them an unbounded amount of time for a fix even if there are likely to be active exploits in the wild’.
I’m going to write it up soon, but the network stack on CHERIoT RTOS is designed so that even an attacker who gains arbitrary code execution in the TCP/IP stack can’t join a DDOS botnet. I really hope this will become the security baseline for IoT soon.
Yes! “Responsible” has been misused by vendors implying that “not abiding by the vendor’s rules is irresponsible”.
(Author of those slides here.)
I’m aware. I also have no problem with that discussion that companies can have wrong ideas about responsible disclosure, and I’d like to say that responsibility goes both ways, and the company obviously also has to be responsible. (And delying a fix for indefinite amounts of times, or not collaborating with a researcher, isn’t responsible, and I don’t react kindly to it.)
But I also feel some people have problems with the term “responsible disclosure” for other reasons. (I.e. they don’t like the idea that it could be considered irresponsible to sell their 0days to whatever shady company pays them most for it.) I’m much less sympathetic to that direction of criticism.