Originally posted by kgardas
View Post
Announcement
Collapse
No announcement yet.
The Performance Impact To POWER9's Eager L1d Cache Flushing Fix
Collapse
X
-
- Likes 1
-
Originally posted by ezekrb5 View Post
I know about that, but that's just courtesy, in the real world people will flame you, will publish your vulnerabilities online, and will take advantage of them, specially if you are a big company that has much to loose. I'm not saying that's good, but that's reality, there are no safe spaces. We have to be grateful this was patched ASAP and nobody got pwned.Last edited by kgardas; 26 November 2020, 05:47 PM.
- Likes 1
Comment
-
Originally posted by kgardas View Post
I don't agree. I think reality is more on a side of responsible disclosure than on a side of wild publishing of vulnerabilities online. Besides responsible disclosures are also motivated financially so you can't blame researches for using them... And also I'm not sure if sometimes by using un-responsible disclosure if you would not put yourself into a danger of a lawsuit -- specially in US.
Comment
-
Originally posted by sandy8925 View Post
Unreasponsible disclosure can only put you in danger of a lawsuit, if you're intentionally lying that a vulnerability exists, and in that case only a defamation suit can be filed (and the company has to prove that you're lying).
Do you still think the hospital or family or both parties will not take you to the court? Especially in US system? (Caveat: as EU citizen I know US system just from Hollywood movies).
Comment
-
Originally posted by kgardas View Post
I'm not lawyer, but I'm not so sure at all. Imagine extreme case: you make unresponsible disclosure and company is not able to patch immediately but it takes 1 year. During that year someone develops attack code and either he/she or some other use that to attack hospitals. They ask for ransom. Communication fails, some hospital does not pay, and hence ends under active attack. Medical instruments are failing one after another and in an ongoing chaos someone dies. The "someone" is later proved to has high chance to live, "he/she" was nearly all right but needed medical instrument for live support at that time, but since medical instrument failed, live is gone. Someone's family does have some money and pay for analysis (they or hospital itself) and result is that instrument failure was direct result of attack which used your not-properly disclosed vulnerability. Attacker is unknown. You as author of vulnerability disclosure are well known.
Do you still think the hospital or family or both parties will not take you to the court? Especially in US system? (Caveat: as EU citizen I know US system just from Hollywood movies).
Comment
-
Originally posted by sandy8925 View Post
Sure they might take you to court, but they won't have a case. You didn't create the vulnerability, nor did you hack the hospital. You just disclosed the existence of a problem/flaw. There's no guarantee that the flaw wouldn't otherwise have been discovered (or that it hasn't already been discovered and is being actively exploited).
And now, if you would do responsible disclosure in cooperation with the company, do you think the risk for you to end in the court would be same or lower?
I'm asking since IMHO with responsible disclosure the risk for you (as researcher/publisher) will be lower so at the end of the day you will save (possibly) more time for your research instead of organizing your court defense... What's better?
Comment
-
Originally posted by kgardas View Post
I don't agree. I think reality is more on a side of responsible disclosure than on a side of wild publishing of vulnerabilities online. Besides responsible disclosures are also motivated financially so you can't blame researches for using them... And also I'm not sure if sometimes by using un-responsible disclosure if you would not put yourself into a danger of a lawsuit -- specially in US.
Most of the countries which hold the data or use the data are not even the US and lack law enforcing (or don't even have said laws).
Comment
Comment