Bruce has another very interesting post about the reporting of security bugs/exploits to the authorities. [linky]
I wonder if it would be possible to start a site that accepted anonymous tips from people, and before publishing them, reporting them to the appropriate entities. Of course, there would be the potential for false posts, but if it were an agreed upon (ha!) site, by both the authorities and the security community, there would at least be a little more freedom to get that information to the right people.
Really, it is in everyone’s best interests to have an anonymous system for reporting these things. The company shouldn’t care who sends this stuff in, as long as it is valid pproblem and they are notified of it. Of course, most companies take an entirely different view of that.
Post a Comment