this post was submitted on 22 Aug 2024
8 points (100.0% liked)

Cybersecurity - Memes

1964 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 

To be clear, not all companies are like this.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 2 months ago (3 children)

Disclosure to the company is only half of responsible disclosure.

  1. Report bug to company privately, and specify a date where the details will be made public. 90 days is a good starting point, but there is room for negotiation up or down depending on how complex the bug is (more complex = harder for someone else to discover = less urgency to patch) and how much impact there is (more impact = more risk if someone malicious discovers it = more urgency)
  2. While you wait, apply for a CVE number and determine a CVSS score - this helps signal how critical the bug is
  3. Once the company publishes a patch (or the embargo date is reached, which ever comes first), publish details of the research

The point of responsible disclosure is to balance the vendors need to have time to fix security bugs before the details are publicly known against the customers right to know that there are unpatched bugs so they can take measures to mitigate their risks. It isn't a free pass for vendors to never patch things

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (2 children)

Not so in Germany, where you can be hit with charges by the company. In one famous case in 2021, the conservative party pressed charges against a data researcher, after she responsibly disclosed a massive data leak via their party app. After the court determined, that afromentioned data was insufficiently secured, those charges were dropped.

This proved to the tech-side in Germany, that responsible disclosure just harms yourself in the end and that German companies (and political parties) might as well go fuck themselves.

Edit: Grammar

[–] [email protected] 0 points 2 months ago

Somewhere in the HQ of the german conservative party

[–] [email protected] 0 points 2 months ago

Man germany at the highest clown rating in the digital era.