But these bugs the kind that anyone could stumble upon, and if they are not security researches their first instinct is to let everyone know about a crazy thing they found. I can't really blame them.
If companies want more responsible disclosure they should introduce harder to find bugs - sneaky edge cases in memory allocation sequences, stuff you'd have to pore over a disassembler for weeks, or slightly weakened PRNGs that would take some serious knowledge of finite fields to discover :-)
If companies want more responsible disclosure they should introduce harder to find bugs - sneaky edge cases in memory allocation sequences, stuff you'd have to pore over a disassembler for weeks, or slightly weakened PRNGs that would take some serious knowledge of finite fields to discover :-)