Hacker News new | past | comments | ask | show | jobs | submit login

I would have expected a responsible disclosure timeline, but it looks like he didn't report this to MS



I'm not sure i would have either. this is not not a security bug. this is pure negligence and doesn't deserve the courtesy IMHO.


Responsible disclosures aren't really a courtesy to the developer as much as they are a courtesy to the users who are running the software in production.


The courteous thing to do to the users is to let them know ASAP so they can stop using vulnerable software, without letting the vendor cover up the problem.


That's not a practical solution for the vast majority of cases. Even slow vendors can patch vulnerabilities much quicker than most institutional users can migrate software. If we stopped using software any time a vulnerability existed, we wouldn't be using much software.

This is one of the reasons that responsible disclosure policies exist, and why they are widely adopted in the industry. It is balance of risk and resources.


It would have been a courtesy to Teams users too, not just MS. I don't see the downside of going through the proper channels before disclosing this publicly unless the goal is some kind of "revenge" for the bug.


There is a difference between unintended yet inevitable bugs and negligence.

Deliberately cheapening out on security because security researchers generally hold to a responsible disclosure procedure is not in the users interest.

This is not one of those inevitable bugs. This is an indicator that there maybe security issues littered throughout the system because no one cares.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: