Shiver me timbers.

[full-disclosure () lists netsys com (Timothy J.Miller)]

On Monday, August 19, 2002, at 12:42 PM, aliver () xexil com wrote:

>       However, if we consider a problem that involves someone being able
> to easily perpetrate a malicious action against the car owner due to a
> manufacturer defect, then it's apt. See how that works? Now, trucking
> right along, if someone decides to make a hobby or a career out of 
> finding
> these specific types of defects, they don't really have any obligation 
> to
> report them for free to anyone. They did the work to find the bug, they
> _will_ decide what's morally right to do afterwards regardless of how 
> many
> "standards" documents are written by people who think they have superior
> ethics. If that means they want to withhold the information for what 
> they
> consider to be a better purpose, then it's not only their choice, but 
> they
> also might be morally justified to do so. It all depends on the
> circumstances.

Okay, I'll concede the bad analogy, and the misapplied substitution of 
your own.  My bad, I'll pay more attention next time.

I think, at this point, I see the common ground we share.  I agree that 
whether to disclose a new vulnerability is ultimately the decision of 
the discoverer.  I do not agree that an ultimately convincing case can 
be made where non-disclosure is morally preferable to disclosure.  I do 
not, of course, have the ethical or legal authority to enforce my 
opinion on others.

-- Cerebus