A CALL TO ARMS ON RESPONSIBLE DISCLOSURE

[Jean Trolleur <sigtstp () gmail com>]

Greetin's t'my homeys and colleagues uh Full Disclosho' man:

De days uh "responsible disclosho' man" be now behind us.

Fo' years many in de security community been playin' games wid
software and hardware vendo's, by attemptin' t'"responsibly" repo't
security vulnerabilities. Mo'e often dan not, especially de case wid
some select few companies, only one uh de two ssnatchholders involved
be actually practicin' nuthin dat resembles responsibility. Slap mah
fro!

One majo' vendo' comes t'mind here (Apple, I'm lookin' at ya'). Dis
vendo' spends hundreds uh millions uh dollars each year on advertisin'
drough various media claimin' deir products is secure, o' at least
mo'e secure dan de competishun. When actual vulnerabilities is
repo'ted t'Apple, de company may spend down t'a year sittin' on dese
befo'e dey is mitigated by security downdates. Compoundin' dis issue
be de observashun dat security practices in Apple code be ho'ribly
substandard. Even wo'se - due t'de opaque nature uh de company - we
gots absolutely no idea if changes is in place t'improve downon dese
issues.

All uh dis brin's us t'de inevitable conclusion, dig dis: Responsible
disclosho' be only justifiable wid responsible vendo's. If vendo's
likes Apple continue t'completely disregard security, dere be no
reason fo' any sucka in de community t'play deir game. Dank ya', and
baaaad night. Man!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/