Proper disclosure is flawed with most companies, because they believe it is a one-way street. They believe we have to follow it, but they can do what ever. Proper disclosure is a two way street where each party has to follow it, meaning we report to the company and the company fixes the issue. Einstein would define what we’re currently doing as insanity, because we do the same thing over and over expecting a different result, yet companies just repeatedly ignore us.
This is very nice and all from the researcher view point. But not always. What if you have a vendor, Company A for example in this list and they sue you for including them? What if they sue the researcher for disclosing the bug publicly (although they will probably lose, but just for intimidation)?
Truth be told I’m already doing this but not only based on past experiences but also on an estimation I make at that time.
I’ve stumbled upon a picture recently on Twitter:
There are some researchers who do it for the money. This is a pretty respectable cause as well. What do you suggest they do if the vendor is not paying / pays too few? Should they still disclose the bug and get like $50 for that stored XSS?
Also, let me know what you think about a variation of Google Project Zero’s policy:
There’s a list of vendors and each vendor has let’s say 60 days. If they don’t reply, the information is publicly disclosed. If a vendor is not working well with the security community, you can decrease that limit to 30 days for example, or even up to 0 days (pun intended ;-)). If they are provenly do the best they can you can increase the limit all the way up to 90, or even more in some specific cases.
This list must not be kept internally but rather be public so that anyone can discuss about it and share their experiences, overall improving the list.
What if someone sues you for having a book with a picture they don’t like? What if someone sues you for offending them by teaching a law class? What if someone sues you for peeling an orange in your bathtub on a Tuesday? I apologize if I got the day wrong when that is illegal, but that is an actual law for a certain town. A good twitter account about nutty laws is @alawaday.
We may make the list accessible in the future, until then a public list is on attrition.org who publicly lists companies.