The FBI sleeps when libraries burn

    • Zagorath
      link
      fedilink
      English
      85 months ago

      90 days is just the standard timeframe for responsible disclosure. And normally that’s just a baseline with additional time being given if there’s genuine communication going on and signs they’re addressing the problem.

      • @ITGuyLevi@programming.dev
        link
        fedilink
        English
        55 months ago

        90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.

        • Zagorath
          link
          fedilink
          English
          15 months ago

          I agree in general, but

          Maybe I’m over simplifying it though, I don’t know how their org operates.

          This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it’s a CYA move at worst.