On 02/02/2017 07:30 PM, liberationtech-requ...@lists.stanford.edu wrote: > Message: 14 Date: Thu, 2 Feb 2017 11:24:01 -0500 From: Rich Kulawiec > <r...@gsp.org> To: liberationtech <liberationt...@mailman.stanford.edu> > Subject: Re: [liberationtech] Can you confirm these are not best > practices for handling disclosure? Message-ID: > <20170202162401.ga4...@gsp.org> Content-Type: text/plain; > charset=us-ascii On Mon, Jan 30, 2017 at 05:49:08PM -0500, Zak Rogoff > wrote: >> > Is anyone who's knowledgeable about disclosure policies able to take a >> > look at it and share your thoughts? >> > >> > To me, it looks like it's not much of a protection for the researchers, >> > because it's totally voluntary and apparently allows companies to ignore >> > it if they make such arbitrary judgements as that the security >> > researcher didn't give them a "reasonable" amount of time between >> > private and public disclosure. > You're correct. This policy is worthless, as are -- to a good first > approximation -- all the "responsible disclosure" policies I've seen.
Thanks for your reply, Rich. It's a pity, though not surprising, that this kind of policy is the norm. How far afield from major software companies do you have to go to find one with a policy about handling researchers that is actually ethical and productive? What are some examples of better policies? -- Zak Rogoff // Campaigns Manager Free Software Foundation -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.