The best approach is pinata disclosure. We take a vulnerability and stick it in a cardboard donkey without telling anyone exactly what it is. Everybody gets a turn taking their best swing at it until somebody scores a lucky hit, and then there’s a mad scramble to pick up all the candy. It’s tons of fun and a great way to involve the whole community.
I really like everything in this post except for the fact that the author tries to coin “Sensible Disclosure”. Partly because I don’t feel that is distinct enough from Responsible Disclosure and partly because it has the same problem, it uses a “good” word. (As opposed to a word like “coordinated” which is neutral.) I think it would have been better off advocating for not using a term like responsible at all.
However, that’s a really small part of the post and I think the rest of the points made a important.
(Meant to submit this comment sooner, got distracted trying to track down a bug in lobsters before realizing I don’t understand rails.)
The best approach is pinata disclosure. We take a vulnerability and stick it in a cardboard donkey without telling anyone exactly what it is. Everybody gets a turn taking their best swing at it until somebody scores a lucky hit, and then there’s a mad scramble to pick up all the candy. It’s tons of fun and a great way to involve the whole community.
I really like everything in this post except for the fact that the author tries to coin “Sensible Disclosure”. Partly because I don’t feel that is distinct enough from Responsible Disclosure and partly because it has the same problem, it uses a “good” word. (As opposed to a word like “coordinated” which is neutral.) I think it would have been better off advocating for not using a term like responsible at all.
However, that’s a really small part of the post and I think the rest of the points made a important.
(Meant to submit this comment sooner, got distracted trying to track down a bug in lobsters before realizing I don’t understand rails.)