Microsoft puts a lot of effort into advocating and rewarding the process of Responsible Disclosure. RD allows folks who discover software vulnerabilities to share the information with the manufacturer and others in a way which maximizes the appropriate countermeasures are available before an exploit and minimizes risks to the community at large. When done correctly, the process allows everyone to benefit by coordinating the availability of a patch, fix or workaround, with the disclosure of the vulnerability. The discoverer is always fully credited with the effort, which is almost always the goal for security researchers.
One way not to do RD is to email, post or blog the details of the vulnerability before a fix has been established, as it puts everyone at risk.
Another way not to do it is to post the vulnerability on eBay.
Sigh.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment