alt Hacker NewsDid the author actually disclose this RCE or just open random PRs and claim there's an issue?
It doesn't appear like the author is acting in good faith, instead grandstanding in public because they feel superior.
Did the author actually disclose this RCE or just open random PRs and claim there's an issue?
It doesn't appear like the author is acting in good faith, instead grandstanding in public because they feel superior.
The author quite clearly outlines their reasoning for this in the article:
> Carrot Disclosure, dangling a metaphorical carrot in front of the vendor to incentivise change. The main idea is to only publish the (redacted) output of the exploit for a critical vulnerability, to showcase that the software is exploitable. Now the vendor has two choices: either perform a holistic audit of its software, fixing as many issues as possible in the hope of fixing the showcased vulnerability; or losing users who might not be happy running a known-vulnerable software. Users of this disclosure model are of course called Bugs Bunnies.