Didn’t Google also recently used their stupid AI to find exploits in FFMPEG and then blackmailed them to fix it before deadline or they will release them to the public? If banning a dev for such “act” is right, then banning the company should also be right. Ban all of them.
The “vulnerability” in ffmpeg was only for an addon, which required a separate download by the user, which was only for a cinematic which was only in the game Star wars xwing vs tie fighter from the 90s, which would only occur at exactly 17s into the fmv.
There was a protocol for reporting security vulnerabilities. Of course some companies don’t follow the protocol when vulnerabilities are reported to them, but that’s their problem.
You report the problem and then you wait 1 month, if the company still hasn’t fixed the issue by then, then you publicly announce it.
Unless it is an open source piece of software, any vulnerability I find will be publicly posted while I remove all software using it from all my devices and infrastructure.
That’s the difference between a security researcher who gives, and does not give a shit about peoples security.
The grace period is to protect people by giving the company time to send out patches. At 1 month, they publish the exploit to shame the company and get the cred either way.
The thing is if you want to continue working in the industry you have to give people the benefit of the doubt and give them time to fix the issue. If you don’t do that you’re very quickly find yourself to be out of a job no one wants to lose cannon, is bad for business.
Its not even the benefit of the doubt. They still publish and name and shame at 1 month. Its just to avoid harm to the users who the security researchers are ostensibly working to protect.
This, I can totally be behind this. I take it back, no public shaming, because of the users. Couldn’t care less about the fucking proprietary driven bullshit development companies.
Didn’t Google also recently used their stupid AI to find exploits in FFMPEG and then blackmailed them to fix it before deadline or they will release them to the public? If banning a dev for such “act” is right, then banning the company should also be right. Ban all of them.
The “vulnerability” in ffmpeg was only for an addon, which required a separate download by the user, which was only for a cinematic which was only in the game Star wars xwing vs tie fighter from the 90s, which would only occur at exactly 17s into the fmv.
There was a protocol for reporting security vulnerabilities. Of course some companies don’t follow the protocol when vulnerabilities are reported to them, but that’s their problem.
You report the problem and then you wait 1 month, if the company still hasn’t fixed the issue by then, then you publicly announce it.
Unless it is an open source piece of software, any vulnerability I find will be publicly posted while I remove all software using it from all my devices and infrastructure.
That’s the difference between a security researcher who gives, and does not give a shit about peoples security.
The grace period is to protect people by giving the company time to send out patches. At 1 month, they publish the exploit to shame the company and get the cred either way.
The thing is if you want to continue working in the industry you have to give people the benefit of the doubt and give them time to fix the issue. If you don’t do that you’re very quickly find yourself to be out of a job no one wants to lose cannon, is bad for business.
Its not even the benefit of the doubt. They still publish and name and shame at 1 month. Its just to avoid harm to the users who the security researchers are ostensibly working to protect.
This, I can totally be behind this. I take it back, no public shaming, because of the users. Couldn’t care less about the fucking proprietary driven bullshit development companies.