> The burden of proof lies with the person who says publishing research and making it immediately available to those it directly affects is irresponsible. It is not.
Burden of proof? This isn't a court case. The overwhelming majority of users will never see a vulnerability write-up, do not have the education needed to understand such a writeup and - even if they saw the writeup and understood it - lack the tools and information to fix a vulnerability in proprietary software.
The vendor only factors in because they are the only one who can fix the issue.
A disclosure like this only helps hackers and the few consumers who are capable of hacking their own product. It hurts everyone else.
> The vendor releasing the patch (prior to publication of the paper) is just as much a drop of the 0day as publishing the paper is.
Who here is arguing against disclosure? We're arguing for responsible disclosure. Once the vendor distributes patch, consumers can actually do something to protect themselves. At that point, you can put the vendor on blast all you want without harming the consumers.
Burden of proof? This isn't a court case. The overwhelming majority of users will never see a vulnerability write-up, do not have the education needed to understand such a writeup and - even if they saw the writeup and understood it - lack the tools and information to fix a vulnerability in proprietary software.
The vendor only factors in because they are the only one who can fix the issue.
A disclosure like this only helps hackers and the few consumers who are capable of hacking their own product. It hurts everyone else.
> The vendor releasing the patch (prior to publication of the paper) is just as much a drop of the 0day as publishing the paper is.
Who here is arguing against disclosure? We're arguing for responsible disclosure. Once the vendor distributes patch, consumers can actually do something to protect themselves. At that point, you can put the vendor on blast all you want without harming the consumers.