re: #30 First As Tragedy, Then As Farce

Your point stands, but it’s generally considered unethical to announce a huge security vulnerability to the world at large without first notifying the upstream source (i.e., the devs who wrote the insecure software) and giving them an opportunity to fix it — all the better if you can submit a patch yourself.

It would have been a truly dick move for Google to come out publicly and say “OH HAY GUISE, OpenSSL is FUBAR at the moment and can leak random 64k segments of whatever’s in the server’s memory to whoever sends a heartbeat signal, and by the way it’s not fixed yet so go ahead an exploit as many servers as you can. ta-ta for now!”

So, you think if they told the government the government would make it public? To me the government and public are two completely different things, especially right now with all the security politics. You are more or less saying it is unethical to tell the government before it is patched. I happen to think it is unethical to not tell the government due to security issues.

Edit…damn Charles got me by moments!