Talk:Responsible disclosure

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
WikiProject Computer Security / Computing  (Rated Stub-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Stub-Class article Stub  This article has been rated as Stub-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.

full disclosure & responsible disclosure are two separate entities. Full disclosure is often, unfortunately, required in order to motivate some vendors in order to address vulnerabilities, but responsible disclosure should be the first step in getting a security issue fixed.

Give the vendors, your families, friends, and sysadmins a fighting chance. —Preceding unsigned comment added by (talkcontribs) 13:29, 15 September 2006


"(Undid revision 442197272 by (talk) rv non-NPOV loaded language) (undo)"

The term (lemma) "Responsible disclosure" is itself non-NPOV loaded. It contains value judgement ("responsible") and it does not - as is claimed in the first sentence of the article - "describe" a "model" of disclosure.

Actually rs stands for hiding vulnerabilities by not disclosuring them to the public. The Term rs is an modern example of newspeak.

-- (talk) 15:51, 3 October 2011 (UTC)

I've removed the strikethrough formatting on one of the examples - there's no reason for this given in the main article. Can someone with more knowledge in the area determine whether this is either a) a valid example, b) invalid (in which case it should be removed), or c) add some explanation for the formatting? Tiredgrad (talk) 07:03, 6 August 2014 (UTC)

reference to idefence and other[edit]

"Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005."

I was wondering what the significance of including these companies is in regards to information on Responsible Disclosure. While they're "big players", the term responsible disclosure is more a general term for how a vulnerability is disclosed and citing companies seems to be a little out of place. Correct me if I'm misguided, would love to know more about this topic.

Judge (talk) 02:49, 14 January 2018 (UTC)

Misses the heart of the matter[edit]

This article is problematic and provides no cogent summary of the core ethical conflict around responsible disclosure. Everyone is willing to promote their own idea of what this term means, and they do with very different agendas and end-states in mind. Do be decent it must cover all of the core conudrums. First, there are those who feel early and open disclosure IS "responsible". There are vendors who believe that no disclosure ever is the only "responsible" thing. And then there are the historical efforts to strike a balance. The second controversy which is at least discussed is the paid vs unpaid reporting and the bounty vs extortion controversy.

This is a critically important issue on the Internet and I would really appreciate it if one of the cybersecurity editors would make time for this. I would do it myself, but because I am not involved in several disclosure processes, I feel that I would have an inappropriate bias. However, this current article is so poorly that if it does not improve in the next few months, I will take a stab at it, biases and all. Ftrotter (talk)