undefined | Better HN

0 pointsdelusional10mo ago0 comments

> "Responsible" disclosure is paradoxically named because actually it is completely irresponsible.

It's only paradoxical if you've never considered the inherent conflicts present in everything before.

The "responsible" in "responsible disclosure" relates to the researchers responsibility to the producer, not the companies responsibility to their customers. The philosophical implication is that the product does what it was designed to do, now you (the security researcher) is making it do something you don't think it should do, and so you should be responsible for how you get that out there. Otherwise you are damaging me, the corporation, and that's just irresponsible.

As software guys we probably consider security issues a design problem. The software has a defect, and it should be fixed. A breakdown in the responsibility of the corporation to their customer. "Responsible disclosure" considers it external to the software. My customers are perfectly happy, you have decided to tell them that they shouldn't be. You've made a product that destroys my product, you need to make sure you don't destroy my product before you release it.

The security researcher is not primarily responsible to the public, they are responsible to the corporation.

It's not a paradox, it's just a simple inversion of responsibility.

0 comments

einsteinx210mo ago

> The security researcher is not primarily responsible to the public, they are responsible to the corporation.

Unless the researcher works for the corporation on an in-house security team, what’s your reasoning for this?

Why are they more responsible to the corporation they don’t work for than for to the people they’re protecting (depending on the personal motivations of the individual security researcher I guess).

drowsspa10mo ago

With "simple reversion of responsibility" do you mean your twisted logic of "everyone should think first and foremost about my profits"?

j / k navigate · click thread line to collapse