>It is unethical to disclose security-related issue of some PaaS publicly withou...

yeukhon · on Dec 30, 2013

> Says who? You?

> And in any case, your iron-clad "argument" is a matter of opinion and nothing else.

First, let me repeat: I did get the story mix up and the ethical approach I am referring to doesn't quite apply in the current story.

> DO has a history of not responding to issues UNTIL they are publicly disclosed.

Does not matter what happen between DO and whitehats. If an OS command injection is discovered, even if DO has a history of not responding to security issues, the moment the vulnerability is discovered, a whitehat should alert DO privately first. If they ignore it again, then of course you can let the public know and let your zero-day exploit begin. Regarding this, public disclosure before private disclosure is unethical.

icelancer · on Dec 30, 2013

>Regarding this, public disclosure before private disclosure is unethical.

I guess you consider Bruce Schneier a peddler of unethical behavior, then? He maintains the threat (and execution) of full disclosure is vital to maintaining security.

sigzero · on Dec 30, 2013

Bruce does NOT advocate an end run around the provider. You talk to the provider first, always.

yeukhon · on Dec 31, 2013

Exactly.

Full disclosure does this. Before full disclosure was the norm, researchers would discover vulnerabilities in software and send details to the software companies -- who would ignore them, trusting in the security of secrecy. Some would go so far as to threaten the researchers with legal action if they disclosed the vulnerabilities. https://www.schneier.com/essay-146.html

If the code is public, just fixing the code without CVE or similar is considered bad because diffing the code will yield the vulnerability.

You don't go around and tell people you found a vulnerability until it is fixed (in the case of vendor ignoring alert it is ethical to tell the public).