Hacker News new | past | comments | ask | show | jobs | submit login

That brings up an interesting question though. How long is long enough for disclosure in cases where the company has made it impossible to notify them of a vulnerability? If someone tries 10 different ways to get in touch and makes absolutely no progress it would seem that it would be better to disclose sooner rather than later.

Giving companies plenty of time to fix a vulnerability is one thing but if the company isn't even working on the issue because they've isolated all external contact at least if disclosure happens sooner that's less time that an unknown attacker can use that vulnerability without anyone being aware of the issue.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: