Google Project Zero do not use the term “responsible disclosure” to describe thi... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lawnchair_larry on Nov 27, 2019 \| parent \| context \| favorite \| on: FortiGuard XOR Encryption in Multiple Fortinet Pro... Google Project Zero do not use the term “responsible disclosure” to describe this. They quite openly reject the term and do not follow “responsible disclosure”, which would prohibit then from publishing exploit details even after the fix is out, and would prevent them from disclosing that an issue even exists prior to a fix being available. The term was specifically a social engineering attempt to brand exactly what GPZ is doing as irresponsible (even though they didn’t exist at the time).

gwd on Nov 27, 2019 [–]

Do you have a reference for any of this?

The Wikipedia page on Responsible Disclosure lists GPZ as one of their first examples.

All of the people I know in this area consider the threat of publication as a implicit part of the "responsible disclosure" process.

[1] https://en.wikipedia.org/wiki/Responsible_disclosure

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact