如果你认为你的道德推理是公平的,那么你应该遵循你认为最合理的任何常识(我相信 SANS 在这种情况下是非常公平的)。
Truthfully you have no obligation either way if:
You found the problems under a legitimate installation of the software (following all ToS/Fair Usage Guidelines, etc)
You did not modify or compromise the security of the system in any known way by purposefully setting the system up in such a way as to be insecure (i.e. purposefully uninstalling security measures that it has)
You cannot conceivably be considered a rival for financial gain in the same market space.
If this product is purely open source and under a free license, the last is obviously true, leaving only the first two to be considered (if it has commercial licensing this may be a different matter).
You can openly document any issues you have with software as long as you provide that they are your opinion, and that you back said issues up with proof (preferably verified by a third-party) in some form (blog, mailing list, etc).
If you are a security researcher specifically assigned to research the product, or intending to publish your findings as part of your corporate reporting, your legal department will have additional rules that you need to follow (consult with them).
I believe the dilema is purely ethical and I would like to quote one part of your post:
I do have somewhat selfish reasons for saying "look how clever I am! I found these problems in the code!" but they are tempered by wanting to give the developers time to fix the code and I know well that ego and pride can be involved in these matters.
If you consider your ethical reasoning to be fair then you should follow whatever common sense you find most reasonable (I believe SANS to be very fair in this case).
Maybe there is no active community. Maybe they just don't care. Maybe, oh my, they put the security flaws in there on purpose. If you question is, how long to wait before going public, then, it sure seems that you've given them every reasonable chance to respond to you. So if you think going public serves the public, go public.
尽管开发人员规模很大,但无法反驳 SANS 的建议。无论团队规模如何,30 天都足以解决大多数问题。由于他们保持沉默,因此您可能不是第一个发现问题的人。
Can't argue with recommendations from SANS, despite developer size. No matter the size of a team, 30 days is plenty of time to address most issues. Since they are being silent, there is a chance that you're not the first to find the issue.
发布评论
评论(3)
说实话,如果出现以下情况,您没有任何义务:
如果这个产品是纯开源的并且有免费许可,那么最后一个显然是正确的,只需要考虑前两个(如果它有商业许可,这可能是另一回事)。
您可以公开记录您在软件方面遇到的任何问题,只要您表明这些问题是您的观点,并且您以某种形式(博客、邮件列表等)提供证据(最好由第三方验证)来支持所述问题。
如果您是专门负责研究产品的安全研究人员,或者打算将您的发现作为公司报告的一部分发布,您的法律部门将有您需要遵循的其他规则(请咨询他们)。
我相信这种困境纯粹是道德问题,我想引用你帖子的一部分:
如果你认为你的道德推理是公平的,那么你应该遵循你认为最合理的任何常识(我相信 SANS 在这种情况下是非常公平的)。
Truthfully you have no obligation either way if:
If this product is purely open source and under a free license, the last is obviously true, leaving only the first two to be considered (if it has commercial licensing this may be a different matter).
You can openly document any issues you have with software as long as you provide that they are your opinion, and that you back said issues up with proof (preferably verified by a third-party) in some form (blog, mailing list, etc).
If you are a security researcher specifically assigned to research the product, or intending to publish your findings as part of your corporate reporting, your legal department will have additional rules that you need to follow (consult with them).
I believe the dilema is purely ethical and I would like to quote one part of your post:
If you consider your ethical reasoning to be fair then you should follow whatever common sense you find most reasonable (I believe SANS to be very fair in this case).
也许没有活跃的社区。也许他们只是不在乎。也许,哦天啊,他们故意把安全漏洞放在那里。如果您的问题是,在上市之前需要等待多长时间,那么,您似乎已经给了他们一切合理的机会来回应您。因此,如果你认为上市是为公众服务,那就上市吧。
Maybe there is no active community. Maybe they just don't care. Maybe, oh my, they put the security flaws in there on purpose. If you question is, how long to wait before going public, then, it sure seems that you've given them every reasonable chance to respond to you. So if you think going public serves the public, go public.
尽管开发人员规模很大,但无法反驳 SANS 的建议。无论团队规模如何,30 天都足以解决大多数问题。由于他们保持沉默,因此您可能不是第一个发现问题的人。
Can't argue with recommendations from SANS, despite developer size. No matter the size of a team, 30 days is plenty of time to address most issues. Since they are being silent, there is a chance that you're not the first to find the issue.