Vulnerability Disclosure Debate

The cluster discusses debates around responsible disclosure of security vulnerabilities, focusing on timelines like 90-day windows, patch release delays, notification to vendors, and whether disclosures were timely or irresponsible.

➡️ Stable 0.6x Security

3,440

Comments

Years Active

Top Authors

#6216

Topic ID

Activity Over Time

2008

2009

2010

2011

2012

2013

146

2014

218

2015

288

2016

178

2017

342

2018

424

2019

301

2020

170

2021

248

2022

196

2023

239

2024

203

2025

259

2026

Top Contributors

tptacek (58) mehrdadn (13) kbenson (13) staticassertion (11) jsnell (10)

Keywords

NEXT SQL CVE HN twitter.com POC i.e NOTE LPE GB patch vulnerability disclosure days 90 90 days disclosing security bug fix

Sample Comments

cookiecaper • Sep 25, 2014 • View on HN

Look at the original announcement from earlier today. This was a known issue and responsible disclosure was exercised -- the issue didn't become public until 5 minutes after the embargo was lifted (i.e., 5 minutes after it was agreed the issue and patch would go public). Since it's so easy to exploit this bug, it'd be impossible to release a patch without people taking notice and immediately beginning to exploit vulnerable systems.Someone just did a really bad job vetting the p

roblabla • Aug 13, 2015 • View on HN

Keeping it secret wouldn't have been very useful. The original issue was already well-known, and seeing the severity and media-exposure of the bug, it is very possible malicious actors studied the patch and independently found out about the problem that came with it. At this point, it is better to let the public at large know they are at risk than let the skiddies have fun with this pseudo-0-day.

jonas21 • Jun 29, 2021 • View on HN

I assume they haven't fixed it yet because they don't consider it to be severe enough to prioritize a fix.So the reporter waits >90 days, then publicly discloses. Isn't this exactly how it's supposed to work?

eikenberry • May 26, 2017 • View on HN

There's nothing stating they didn't inform them a while back and wait to give them a chance to patch it before disclosing it.

xivzgrev • Jan 10, 2024 • View on HN

thanks for the clarification - I also read this as it took them a MONTH to fix the vulnerability.

smith7018 • Oct 29, 2014 • View on HN

For all we know, he disclosed it 4 days ago. Merely disclosing a vuln doesn't mean an appropriate amount of time has passed where it could be patched. Remember, real users' info is at stake.

user5994461 • May 9, 2017 • View on HN

The disclosure is irresponsible.The post published today contains information on how to exploit the bug with a working code for POC, confirmed to work.The windows patch is published today. It's gonna take weeks to propagate to the windows computers around the world.

nashashmi • Feb 12, 2025 • View on HN

Does google still do those security vulnerability reveal if the thing has not been fixed in 90 days? This was dixed in 147 days.

zwass • Jun 16, 2022 • View on HN

It's unbelievable to me that they waited over 3 months from when they became aware of this vulnerability until disclosing to effected organizations.

gshutler • Jun 4, 2015 • View on HN

Where's the attempt to submit a patch to fix the problem before disclosing?