I think for the entire debate – especially also given the increased amount of vulnerabilities LLMs are concurrently uncovering atm – it is important to remember that embargoes are an inherently bad thing:
Security embargoes are a nice newspeak way to say "we intentionally keep our users uninformed and rob them of any choice to be vigilant, apply mitigations, or make other decisions to protect themselves", which actually is a pretty evil thing if you think about it.
Now there are situations where it might be the lesser of two evils, namely if it is a) a high-risk vulnerability that b) cannot be reasonably mitigated in practice, and c) where you can be reasonably certain that the vulnerability is not yet known to potentially malicious third parties. In this case, an embargo can be a reasonable choice – but only if all three conditions are met. And even then it still has the inherent risk that you’re wrong about c).
Now in your scenario, we already fail at option a) – if the reporter is not even sure something actually is a security vulnerability, they definitely cannot assert that it is a high risk security vulnerability. Therefore, embargo or not shouldn’t even be a question here.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。