Ah. Well to that specific point, I acknowledge that it's much more complicated than that. I oversimplified b/c 240 chars.
-
-
Is it fair to say that Full Disclosure optimizes for full control of things being given to the end user, even when that may disadvantage and harm other end users?
1 reply 0 retweets 0 likes -
Replying to @0xMatt @docsmooth
No. Vulnerability discovery isn't a mutually exclusive event, other people can find and exploit them simultaneously, our concern is that people are at risk while the vendor is trying to hide the problem.
2 replies 0 retweets 0 likes -
Replying to @taviso @docsmooth
What, in your words, does Full Disclosure optimize for?
1 reply 0 retweets 0 likes -
Replying to @0xMatt @docsmooth
The core tenet is that users should be informed before (or at the same time as) vendors. I suppose it optimizes for empowering users to handle their own risk?
1 reply 0 retweets 0 likes -
Replying to @taviso @docsmooth
If I can get a little bit more subtlety here: Your'e saying it optimizes for "Empowering users to handle their own risk". aside from the way the words feel, how is that actually not "Every user for themselves" as I originally stated?
1 reply 0 retweets 0 likes -
Replying to @0xMatt @docsmooth
The reason users need this information is because it gives vendors an economic incentive to address the vulnerabilities users care about. That is not "every user for themselves", anymore than democracy is every citizen for themselves?
1 reply 0 retweets 0 likes -
Replying to @taviso @docsmooth
CVD assumes that a disclosure will occur but allows for a delay for the vendor to fix things. The economic incentive still exists under CVD as long as you don't allow unlimited timelines for fixes. And I have no problem zero daying vendors who won't fix.
1 reply 0 retweets 0 likes -
You're worried about what happens during the delay, when there's no patch available. It's that period of time that seems to me like "every user for themselves" is at least somewhat accurate, If not the politest way to phrase it.
1 reply 0 retweets 2 likes -
It's also worth noting that even in democracies, information relevant to national security is routinely kept secret and not fully disclosed.
2 replies 0 retweets 0 likes
Nobody is arguing for no more secrets (?). The difference with vulnerabilities is the information is available to everyone, and we know that adversaries are looking for and finding them. Full disclosure advocates are not arguing for you to post your bank statements online 
-
-
OK, then when on the continuum does a disclosure model go from FD to CD? Where pure FD is "immediately upon discovery" and pure CD is "only after the patch which may never come"? 1 week? 2nd contact attempt?
1 reply 0 retweets 0 likes -
Replying to @docsmooth @0xMatt
I dont understand the question, if the disclosure is not co-ordinated, then it's not cvd. It's in the name. If you're saying there is a middle ground you prefer between full disclosure and cvd, then that's fine, but clearly that is not cvd?
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.