|WikiProject Computer Security / Computing||(Rated Stub-class, High-importance)|
full disclosure & responsible disclosure are two separate entities. Full disclosure is often, unfortunately, required in order to motivate some vendors in order to address vulnerabilities, but responsible disclosure should be the first step in getting a security issue fixed.
"(Undid revision 442197272 by 188.8.131.52 (talk) rv non-NPOV loaded language) (undo)"
The term (lemma) "Responsible disclosure" is itself non-NPOV loaded. It contains value judgement ("responsible") and it does not - as is claimed in the first sentence of the article - "describe" a "model" of disclosure.
Actually rs stands for hiding vulnerabilities by not disclosuring them to the public. The Term rs is an modern example of newspeak.
I've removed the strikethrough formatting on one of the examples - there's no reason for this given in the main article. Can someone with more knowledge in the area determine whether this is either a) a valid example, b) invalid (in which case it should be removed), or c) add some explanation for the formatting? Tiredgrad (talk) 07:03, 6 August 2014 (UTC)
reference to idefence and other
"Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005."
I was wondering what the significance of including these companies is in regards to information on Responsible Disclosure. While they're "big players", the term responsible disclosure is more a general term for how a vulnerability is disclosed and citing companies seems to be a little out of place. Correct me if I'm misguided, would love to know more about this topic.
Misses the heart of the matter
This article is problematic and provides no cogent summary of the core ethical conflict around responsible disclosure. Everyone is willing to promote their own idea of what this term means, and they do with very different agendas and end-states in mind. Do be decent it must cover all of the core conudrums. First, there are those who feel early and open disclosure IS "responsible". There are vendors who believe that no disclosure ever is the only "responsible" thing. And then there are the historical efforts to strike a balance. The second controversy which is at least discussed is the paid vs unpaid reporting and the bounty vs extortion controversy.
This is a critically important issue on the Internet and I would really appreciate it if one of the cybersecurity editors would make time for this. I would do it myself, but because I am not involved in several disclosure processes, I feel that I would have an inappropriate bias. However, this current article is so poorly that if it does not improve in the next few months, I will take a stab at it, biases and all. Ftrotter (talk)