Posts by sirdarckcat@infosec.exchange
 (DIR) Post #APfwlfv3HYKoMnYqUi by sirdarckcat@infosec.exchange
       2022-11-16T22:32:32Z
       
       0 likes, 0 repeats
       
       @grapheneos @fox using vulnerability disclosure as a marketing tool is not new, but, I'm not sure it'll be well received by the community. It's more defensible to do full disclosure for the merits of full disclosure (that'll get you support from the community), but doing full disclosure for marketing, well... That will put the community against you.There's plenty of good reasons to do full disclosure.. it'll just be hard for you to say you are doing it for the right reasons now that you said it's for marketing.. :-/https://www.kialo.com/what-is-the-right-vulnerability-disclosure-policy-7258 has an argument map.
       
 (DIR) Post #APfxSkqop10g797gDw by sirdarckcat@infosec.exchange
       2022-11-16T22:47:35Z
       
       0 likes, 0 repeats
       
       @fox @grapheneos I mean, they are free to do what they want with their bugs 🙂. I just feel like the community won't be standing on their side if they think it's putting some users at risk for their own sake.One thing I did want to mention is that seeing a pattern doesn't necessarily mean there's someone pulling strings behind the curtain.https://www.nationalgeographic.com/science/article/lacking-control-drives-false-conclusions-conspiracy-theories-and-superstitions
       
 (DIR) Post #APfyePWW2hOvOhkS8W by sirdarckcat@infosec.exchange
       2022-11-16T23:02:43Z
       
       0 likes, 0 repeats
       
       @grapheneos @fox Reporting a vulnerability privately and then disclosing it when the bug is fixed publicly (or after a deadline) is possible to do regardless of how bulletins work. These are independent components. One is letting the vendor know about a bug. The other is the vendor letting users know about a bug.They are somewhat related, but the merits of one aren't relevant to the other. They can be discussed in isolation.