Read on Twitter
What’s great about these privacy warnings is that nobody is calling the researchers irresponsible for revealing them immediately to the public, & Twitter is thanking them instead of trying to shift blame to them.
Why are security vulnerability disclosures treated differently?
Why are security vulnerability disclosures treated differently?
Is it because a security vulnerability might let an attacker take over a system?
Well, often they do so to steal private data. Data privacy is so important, there are laws & fines for data misuse & breaches.
So why would privacy holes that expose data be fine to disclose pre-fix?
Well, often they do so to steal private data. Data privacy is so important, there are laws & fines for data misuse & breaches.
So why would privacy holes that expose data be fine to disclose pre-fix?
I’ll tell you why:
Privacy is an even more recent concept among most people than security & hasn’t had nearly the investment in anti-researcher propaganda from those who profit from having all that data in the 1st place.
Security bugs dropped as 0day don’t get the same gratitude.
Privacy is an even more recent concept among most people than security & hasn’t had nearly the investment in anti-researcher propaganda from those who profit from having all that data in the 1st place.
Security bugs dropped as 0day don’t get the same gratitude.
That’s understandable due to all the scrambling required from so many people to apply patches or mitigations for 0day drops.
Data privacy leaks on the other hand are usually either a done deal, & you sign up for credit monitoring
, or only one company has to act to fix it.
Data privacy leaks on the other hand are usually either a done deal, & you sign up for credit monitoring
, or only one company has to act to fix it.
But either way, attackers might use security or privacy holes that are publicly disclosed before a fix is made - so rather than start vilifying privacy researchers dropping pday, we should question the near-universal jump to condemn security researchers who publicly disclose 0day
Before you say “but ransomware!” the security holes were always there. Recent ransomware attacks threaten victims with - you guessed it - data leaks.
So if you’re celebrating privacy researchers dropping unpatched privacy holes via Twitter, maybe look at 0day PoC differently too.
So if you’re celebrating privacy researchers dropping unpatched privacy holes via Twitter, maybe look at 0day PoC differently too.
Orgs don’t have a way to report privacy issues…privately?
They might not have a special door, but security researchers deal with that barrier all the time & hunt down someone to tell via Twitter.
Privacy bounties?
I created 1 as part of the 1st Microsoft #bugbounty & this one
https://twitter.com/k8em0/status/983725437158416384
They might not have a special door, but security researchers deal with that barrier all the time & hunt down someone to tell via Twitter.
Privacy bounties?
I created 1 as part of the 1st Microsoft #bugbounty & this one
https://twitter.com/k8em0/status/983725437158416384
Anyway, happy Friday. Remember that reasonable people will disagree about the best way to reduce risk.
But public safety should be a priority for both security & privacy holes.
Public disclosure is a fundamental part of public safety, & the only villains are orgs that hide truth.
But public safety should be a priority for both security & privacy holes.
Public disclosure is a fundamental part of public safety, & the only villains are orgs that hide truth.
