Snyder was on the panel discussion I had really wanted to attend Saturday morning but missed. This was a discussion on disclosure practices, full, limited and responsible. Based on this register piece, now I am really kicking myself for not getting up and moving in time to catch it.
At question is the power security researchers have over vendors. However, since the researchers ultimately have little or no power to effect fixes, except perhaps for open source projects, I suspect there is a better balance than Snyder’s remarks imply.
Following through to the News.com piece, there is clearly more contention still going on with regards to responsible disclosure. As with any compromise, it can certainly be gamed, but however disclosure is undertaken, the vendor has to be incented to fix the flaw at issue.
I am inclined to side with the likes of Schneier on reject that responsible disclosure is only a marketing term. That only makes sense when the researcher forfeits their position completely to the vendor. I am not saying that does not happen but there are just as many examples of researchers who have stuck by their guns and tried to find a reasonable, and legal, balance, like, well, Abi Rubin, among others.