Hi
* on the Tue, Nov 14, 2017 at 09:41:29PM -0800, Bill Woodcock wrote:
The work has been divided into two working-groups: one is addressing the question of what a norm should say (i.e. “Governments shouldn’t cyber-attack X”).
It's much simpler than that. The difference between black hats and white hats is only one: White hats publish.
Because the victims of vulnerabilties exploited will be everyone, maybe with the exception your specific organization. If your spy-agency hoards vulnerabilites, the victims will be your own police, army, hospitals, power plants and citizens. Plus everyone else. And that's not how you spell "security". It's not even how you do "national security", it's actually "endangering national security" -- and your own outfits are doing it.
Therefore, the only right thing to do is to compel everyone to publish security vulnerabilities, and ostracize everyone who hoards them.
Cheers Seegras