* David Gerard:
On 23 August 2015 at 12:32, Florian Weimer fw@deneb.enyo.de wrote:
The blog post is pretty reasonable if you combine the Oracle mindset with the things that some people report as vulnerabilities. I totally get why she just wants to Make It Stop (because of those reports), and the way she picks contracts/licenses (because of Oracle).
"Don't send us automated vulnerability reports, they're not at all helpful" is the one sensible bit of the post, yes.
The license argument, however, is abject stupidity as security advice, and an excellent argument for software freedom.
It's probably still true. I don't think there is a reverse engineering exception for security research. Whether you have to publicly rub it into the face of your customers is a different story, of course.
C-level executives are people who are empowered to do as they wish. Who could tell her no before the fact? No-one, evidently.
At most organizations, the blog software does. Usually, before anything gets out, it is proofread for typos and legal issues.
This does not mean that the executive does not have the final say when it comes to publication, but one can hope that along the process, someone points out the potential backlash, especially if it is as obvious as in this case.
It's a balance, though. The reason for full disclosure of 0-day vulnerabilities is a long history of vendors lying, covering up and legally suppressing serious problems against their customers' interests.
My own experience is that it does not matter how transparent you are, or what your past track record was. When reporters feel like it, they will throw in front of the next-best bus. They even disregard their *own* policies.
These people are really smart and creative, and they often behave in ways such people generally do.