Conversation

Notices

1. Embed this notice
   Jason Parker (he/they) (north@xn--8r9a.com)'s status on Friday, 08-Dec-2023 03:26:44 JST Jason Parker (he/they)

   It's now been one week and one of the court platforms in my recent disclosure[1] is still vulnerable to the issue that was reported to them by multiple state agencies over two months ago. They have not responded to my emails.

   At what point does it become appropriate to publish a PoC? There's some Really Bad Shit™️ that can be obtained, so it's a tough position to be in.

   [1] https://github.com/qwell/disorder-in-the-court

   • Embed this notice
     iced depresso (icedquinn@blob.cat)'s status on Friday, 08-Dec-2023 03:26:43 JST iced depresso

     in reply to
     @north isn't there some standard number of days that usually go in to disclosures
   • Embed this notice
     iced depresso (icedquinn@blob.cat)'s status on Friday, 08-Dec-2023 03:57:36 JST iced depresso

     in reply to
     @north i don't recall the exact number but i think its something like up to 90 days for ethical disclosures. typically starting after the initial contact is made with the appropriate people.
     
     i've definitely seen things published that affect important systems when ex. Cisco just refuses to act
   • Embed this notice
     Jason Parker (he/they) (north@xn--8r9a.com)'s status on Friday, 08-Dec-2023 03:57:37 JST Jason Parker (he/they)

     in reply to

     • iced depresso

     @icedquinn 🤷

     I'm pretty torn on it, ethically, because of the stuff that can be obtained. Ultimately though, I think it would be better to publish one, since it should force them to actually fix it. I'm clearing it with some people first, but I'm thinking I'm going to do that later today or tomorrow.