Siderea, Sibylla Bostoniensis
Hey cyber security peeps, is there some sort of best practice or algorithm for determining *how long* one should give a corporate entity after notifying them of a serious security issue before going public about it?
Mar 28, 2024 at 6:38pmWeb
Show threadsamir, actually the xkcd top hat guyMar 28, 2024

@siderea I think it depends on how wary you are of corporations deciding to drag you through the courts.

If you don’t care about that, then perhaps Google Project Zero’s policy is appropriate. https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html

Vulnerability Disclosure FAQ

Published: 2019-07-31 Last updated: 2021-11-29 Project Zero follows Google’s vulnerability disclosure policy  on all of our vulnerab...

Show threadfoldlApr 2, 2024

@samir @siderea pretty much this, it depends on how you found it, how easily discoverable you think it is, and if you have reason to believe it's being exploited by anyone else.

In the last case, Google's 7-day policy is generous.

Show threadAeronauteMar 28, 2024
@siderea Ethical disclosure seems to be at least 90 days. While a vendor could ideally develope and release a remediation in that time, they may, in some cases want more. If so, they should reach out to the person who reported it, to indicate they are working on a fix, and asking for more time before disclosing. As others suggest, this is a common time frame, but won't necessarily insulate you from the ire, and legal tantrums of, the vendor you've disclosed to.