logoalt Hacker News

rustyhancocktoday at 6:42 AM4 repliesview on HN

A curious approach, but I like it!

Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)

Replies

MatthewWilkestoday at 6:50 AM

I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.

show 2 replies
SweetSoftPillowtoday at 7:30 AM

It would certainly be irresponsible.

The responsible thing would have been to simply wait another month, considering you've been warned about the delay.

show 1 reply
CamouflagedKiwitoday at 7:34 AM

Given that most of those users will not be capable of patching it directly, no, that seems like it would be irresponsible.

show 1 reply
cmxchtoday at 6:55 AM

Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.

Naturally some people find that this offensive since this puts a price to that “bliss”.

show 4 replies