The FBI sleeps when libraries burn

  • Zagorath
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 month ago

    90 days is just the standard timeframe for responsible disclosure. And normally that’s just a baseline with additional time being given if there’s genuine communication going on and signs they’re addressing the problem.

    • ITGuyLevi@programming.dev
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 month ago

      90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.

      • Zagorath
        link
        fedilink
        English
        arrow-up
        1
        ·
        30 days ago

        I agree in general, but

        Maybe I’m over simplifying it though, I don’t know how their org operates.

        This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it’s a CYA move at worst.