[Development] RFC: Qt Security Policy

d3fault d3faultdotxbe at gmail.com
Fri Oct 19 17:54:59 CEST 2012

On Fri, Oct 19, 2012 at 8:27 AM, Oswald Buddenhagen
<oswald.buddenhagen at digia.com> wrote:
> google "responsible disclosure"

No need, and that's hardly an argument. What if I said: google "full
disclosure" as my counter-argument?

So anyways I'll bite, even though we've already been over this.
Responsible disclosure is very similar to Full disclosure except that
there's a window of time where a variable size group of individuals
are sitting on the vulnerability information until a fix is delivered.
As I've said before, holding onto that information only extends the
window in which an exploit can be utilized. It has a vital flaw: it
requires you to trust other human beings. A group of them no less.

"Security information moves very fast in cracker circles." (
http://openbsd.org/security.html )

You only need ONE weak/corrupt link in your group of "trusted"
analysts for the practice of "Responsible Disclosure" to now ACTIVELY
CAUSE HARM TO USERS who you are trying to protect.

Full disclosure allows everyone to analyze their own situation and
decide whether or not to bring their systems down (sometimes this
can't be helped) until a fix is available.


More information about the Development mailing list