Reminder that CVD is a standard (in the same way that Test Driven Development is a standard approach that someone might choose), not the standard (something that everyone must or should do). Attempting to frame CVD as "responsible disclosure" is at attempt to staple a value judgement onto that approach.
Also, for software like Windows where researchers find vulnerabilities by inspecting software locally, the idea of prosecuting a US-based researcher for disclosing a vulnerability to the public is laughable and would not succeed.
2 comments
[ 4.6 ms ] story [ 12.1 ms ] threadReminder that CVD is a standard (in the same way that Test Driven Development is a standard approach that someone might choose), not the standard (something that everyone must or should do). Attempting to frame CVD as "responsible disclosure" is at attempt to staple a value judgement onto that approach.
Also, for software like Windows where researchers find vulnerabilities by inspecting software locally, the idea of prosecuting a US-based researcher for disclosing a vulnerability to the public is laughable and would not succeed.