If you assess that the best time to publicly disclose is immediately then disclo... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kevincox 4 months ago \| parent \| context \| favorite \| on: We hacked Burger King: How auth bypass led to driv... If you assess that the best time to publicly disclose is immediately then disclose immediately. But I find that this case is rare. Typically it would be something like many of the following being met: - It is likely to be discovered by an attacker soon. - History shows that the company is unlikely to fix it soon. - Users have some way to protect themselves. - Your disclosure is likely to reach a significant number of users.

akerl_ 4 months ago [–]

How do you know it hasn’t been discovered by another attacker already?

ranger_danger 4 months ago | [–]

You don't, but you make a judgement call based on different criteria, such as how difficult the issue was to find, maybe how popular/big the site is, etc., as to whether or not you think anyone else is likely to know about it already.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact