The FBI sleeps when libraries burn

  • Zagorath@aussie.zone
    link
    fedilink
    English
    arrow-up
    48
    ·
    1 month ago

    If they were really “the hero”, they’d follow the bare minimum of responsible disclosure best practices, and allow 90 days between privately alerting them of the issue and going public with it. Two weeks is absurd.

    • Ashelyn
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 month ago

      90 days to cycle private tokens/keys?

      • Zagorath@aussie.zone
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 month ago

        90 days is just the standard timeframe for responsible disclosure. And normally that’s just a baseline with additional time being given if there’s genuine communication going on and signs they’re addressing the problem.

        • ITGuyLevi@programming.dev
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 month ago

          90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.

          • Zagorath@aussie.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 month ago

            I agree in general, but

            Maybe I’m over simplifying it though, I don’t know how their org operates.

            This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it’s a CYA move at worst.