WP Tavern › Forums › Create Topic
Ian Dunn You’re absolutely right that Schneier and Google were both advocating that researchers start with responsible disclosure, and then resort to full disclosure if the vendor doesn’t fix the vulnerability within a reasonable timeframe, but it’s important to recognize that they were saying that in the context of a general policy, while Yan was responding to a specific vulnerability whose nature arguably lends itself towards rapid full disclosure. The point in referencing those article was to show that responsible disclosure is often insufficient, and that full disclosure is an acceptable response if the situation warrants it (e.g., because the vendor isn’t acting quickly or, in this case, because it’s clear that the vulnerability is already known to attackers). From her comments, it sounds to me like Yan would mostly agree with Schneier and Google that private disclosure is generally the best way to initially respond to a discovery, and that is how she did initially respond, so I think the central issue is the length of time she waited. I’m guessing that if this had been a more esoteric vulnerability, one that was less likely to be actively known to attackers, that she would have waited much longer, but in this case I can see a compelling argument that waiting would have done more harm than good. Given that attackers are already exploiting it, what were the pros and cons of waiting before public disclosure? The downsides are that unskilled attackers were informed about the vulnerability, and there was bad PR for Automattic. The benefits were that it immediately gave users effective ways to mitigate the risk on their own, and that it put external pressure on Automattic to fix the vulnerability immediately. I’m not saying that I would have acted the same way if I had been in her shoes, but I can see why she weighed the pros and cons the way she did.
Ian Dunn
You’re absolutely right that Schneier and Google were both advocating that researchers start with responsible disclosure, and then resort to full disclosure if the vendor doesn’t fix the vulnerability within a reasonable timeframe, but it’s important to recognize that they were saying that in the context of a general policy, while Yan was responding to a specific vulnerability whose nature arguably lends itself towards rapid full disclosure.
The point in referencing those article was to show that responsible disclosure is often insufficient, and that full disclosure is an acceptable response if the situation warrants it (e.g., because the vendor isn’t acting quickly or, in this case, because it’s clear that the vulnerability is already known to attackers).
From her comments, it sounds to me like Yan would mostly agree with Schneier and Google that private disclosure is generally the best way to initially respond to a discovery, and that is how she did initially respond, so I think the central issue is the length of time she waited.
I’m guessing that if this had been a more esoteric vulnerability, one that was less likely to be actively known to attackers, that she would have waited much longer, but in this case I can see a compelling argument that waiting would have done more harm than good.
Given that attackers are already exploiting it, what were the pros and cons of waiting before public disclosure? The downsides are that unskilled attackers were informed about the vulnerability, and there was bad PR for Automattic. The benefits were that it immediately gave users effective ways to mitigate the risk on their own, and that it put external pressure on Automattic to fix the vulnerability immediately.
I’m not saying that I would have acted the same way if I had been in her shoes, but I can see why she weighed the pros and cons the way she did.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content
