I'm having a discussion with a vendor, maybe you can help me out. What's the goal of a security advisory?

As such, when should a security advisory be published?

To make this clear: this is about security advisories as published by the vendor. Just assuming that the researcher went for coordinated disclosure or no disclosure at all.

@WPalant I've also seen security advisories published before there's even a patch, in some cases—when there's a workaround, and the patch will take a while to produce.

Unless the vendor has been given ample time to fix their shit and has done nothing, the disclosure should await the fix.

@ScottMortimer That's the assumption in the question - that disclosure happens after the fix, probably considerably later.

@WPalant Before I comment: I don't judge any researchers for how they choose to disclose. Everyone has their reasons. IMO the disclosure is partly to inform users, partly to publicise the vulnerability so the industry can move forward and maybe stop making that mistake. I think there's value in letting "most" users patch before dropping complete details.

@tk A security advisory is published by the vendor, not by the researcher.

@WPalant Okay, for that specifically - both user safety and PR. They're inseparable.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.