Donald Stufft <donald <at> stufft.io> writes: > > On Jul 30, 2013, at 3:01 AM, Antoine Pitrou <solipsis <at> pitrou.net> wrote: > > I don't know what I'm supposed to infer from such a statement, except that Iprobably don't want to trust you. You might think that "publish[ing] workingexploits into the wild" is some kind of heroic, altruistic act, but I think fewpeople would agree. > > > Full Disclosure is a common practice amongst security professionals > whenthe upstream project is unwilling to rectify the problem. So yes I do think > the practice of Full Disclosure is an altruistic act and often times the only > thing that gets people who don't care to pull their head out of the sand > and actually care.
You don't happen to be a random security professional, you are actually part of that upstream project and you have access to non-public (possibly confidential) data about its infrastructure, which gives you responsibilities towards your peers. I don't think I would be the only one to be angry if an infrastructure member starting publishing working exploits for unfixed vulnerabilities in the pdo infrastructure. It is a completely irresponsible way to act when you are part of a project or community. Regards Antoine. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
