> Moral of the story, if you have to ask if it's a disclosure, you are better > safe than sorry and keeping the info under close wraps until you confirm it.
I think it's better it was disclosed than had it not been disclosed at all. While I agree to an extent that there could have been more optimal ways for the disclosure in this particular case, I think we should not try to disencourage disclosure. If someone spots something and and asks a very generic question, I'm like 99% sure folks will tell him to be more detailed else they can't have an opinion. (Which basically is what he did, he asked one person a generic question and that person told him to ask it here, I guess it's reasonable that he was more detailed when doing so.) Now, if we tell people who spotted something AND did some additional research on it, which is IMHO commendable, that they better shouldn't have disclosed anything before checking with so-and-so and waited such-and-such an amount of time (which they might be aware of, or not), the next such person will likely just think, oh, sod it, maybe it's not so important anyway. (It's not like this was a complicated 0-day where the itsec engineer who found it would already have known exactly who to contact in advance.) Blaming the person who disclosed it is not helpful I think. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
