top | item 45154569

(no title)

> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?

You don't publish because you don't want to cause harm and you don't want to be liable for it.

You need to realize that vulnerabilities don't exist in a vacuum. They grant access to computer systems that control the life of people (millions of people) including their personal information, passwords, passport photos, card numbers, jobs, paychecks, transportation, food, etc... which is very likely to cover yourself, your mom, your family, your friends as you deal with larger companies.

When you publish a vulnerability, it will immediately be used by bad actors that intend to cause harm to all these people, including employees and customers.

discuss

No comments yet.