To put it bluntly: if you put academic creds and getting a paper published before everyone's security, you're an asshole.
Show this thread
Is anyone else annoyed that the WPA2 KRACK paper author sat on it for >2mos before any disclosure and 5mos before public disclosure?
-
-
-
Protip: this makes your disclosure *irresponsible*. So does notifying an academic review board 2 months before notifying vendors. Asshole.pic.twitter.com/7pu3Qhn0cd
Show this thread
End of conversation
New conversation -
-
-
Two months from initial idea to fully working exploit then a 90 day disclosure period or did I mess up the timeline?
-
Two months from submitting the *finished* paper for review to notifying the first vendor. Who knows how much longer it was cooking.
- Show replies
New conversation -
-
-
"Aren't you just glad he called an ambulance after running a red light and over a pedestrian? He could've easily have run away instead."
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Isn't it irresponsible to publicly disclose at all before fixes have been deployed? World is now much more unsafe than it was yesterday.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Yes, it definitely took years to spot a bug while reading OpenBSD code and realize everyone made the same mistake. Right.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Yeah ofc. But then perhaps if only vendors have it they may not bother to fix, or worse exploit it. It's a tricky one!
-
Responsible disclosure is all about balance. This is why you set a hard deadline and give vendors that time to patch. 90 days is typical.
End of conversation
New conversation -
-
-
If the whole PhD thesis is relevant for the bug, it's a bullshit thesis. If it wasn't, then it wasn't relevant.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.