Quote:
Originally Posted by techhelpbb
Starting today it's been 30 days since I sent my first e-mail about this.
6 months is the end of January 2013.
If I follow through with the 6 month process as it stands now I'll be giving the next interloper the perfect window of opportunity for 2013 by publishing in late January. FIRST who might do nothing with the knowledge till then would have little time to react. Worse FIRST will have solidified all their purchases and shipped all the kits of parts.
Suffice it say I'm not thrilled with this. Worse even if I don't point it out then depending on a number of likely factors these exploits will be readily available to any interlopers that we don't know about if they've stumbled on them.
If that's not a house of cards I don't know what is.
So if I publish that information I risk FIRST responding by sanctioning me.
If I don't publish that information who knows if or when it'll get exploited.
For those who get the reference:
'The only way to win is not to play' and unfortunately I don't mean looking for security problem.
|
It doesn't have to be exactly 6 months. One might contact them and say "I will publish these findings on X date unless this is followed up with and another effective course of action is carried out". I don't think anyone here would be against one who did that, or support the powers that be for sanctioning such an individual. The point is that it is
responsible disclosure.