Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Can you confirm these are not best practices for handling disclosure?

Zak Rogoff zak at fsf.org
Sun Feb 5 13:23:02 PST 2017


On 02/02/2017 07:30 PM, liberationtech-request at lists.stanford.edu wrote:
> Message: 14 Date: Thu, 2 Feb 2017 11:24:01 -0500 From: Rich Kulawiec
> <rsk at gsp.org> To: liberationtech <liberationtech at mailman.stanford.edu>
> Subject: Re: [liberationtech] Can you confirm these are not best
> practices for handling disclosure? Message-ID:
> <20170202162401.GA4295 at gsp.org> Content-Type: text/plain;
> charset=us-ascii On Mon, Jan 30, 2017 at 05:49:08PM -0500, Zak Rogoff
> wrote:
>> > Is anyone who's knowledgeable about disclosure policies able to take a
>> > look at it and share your thoughts?
>> > 
>> > To me, it looks like it's not much of a protection for the researchers,
>> > because it's totally voluntary and apparently allows companies to ignore
>> > it if they make such arbitrary judgements as that the security
>> > researcher didn't give them a "reasonable" amount of time between
>> > private and public disclosure.
> You're correct.  This policy is worthless, as are -- to a good first
> approximation -- all the "responsible disclosure" policies I've seen.

Thanks for your reply, Rich. It's a pity, though not surprising, that
this kind of policy is the norm.

How far afield from major software companies do you have to go to find
one with a policy about handling researchers that is actually ethical
and productive? What are some examples of better policies?

-- 
Zak Rogoff // Campaigns Manager
Free Software Foundation



More information about the liberationtech mailing list