Hacker News new | past | comments | ask | show | jobs | submit login

Well it’s an argument for responsible disclosure - you tell them, give them plenty of time to fix it, and publish.

But responsible disclosure absolutely does not mean “no disclosure”. It means give them a chance to fix it. If they choose not to you disclose so that people know that they need to take steps to protect themselves.

The important thing is that the disclosure must become public. It doesn’t matter that they pushed an update, as none of the victims who had deleted/“uninstalled” zoom will get the update, and without the update they’ll still be running the server.

The only way anyone would know about it is with the details being public.

I’m waiting for Apple to use xprotect to kill the server on all machines, as that’s the only true solution for the uninstalled victims




Responsible disclosure doesn’t mean anything. It’s an obsolete term. You’re referring to coordinated disclosure.

https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coor...


This case is actually a really great demonstration of why this often-repeated claim is false. This was responsible, but not coordinated, disclosure.


Only in the literal sense. A commonly cited issue on the term "responsible disclosure" is that the discoverer is responsible for one's action, even though the action indeed benefits the public. In this viewpoint the vender can argue that it is not responsible to ignore the vendor, even though the vendor itself is being unreasonable. The term "coordinated disclosure" is invented to fix this abuse. You can't literally interpret "responsible" or "coordinated" without this context.


There’s nothing false about it. The term “Responsible Disclosure” was invented by a vendor as a self-serving PR tool to cover their own ass. “Responsible” is subjective and loaded, so it’s not useful terminology, and professionals in the field do not use it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: