Find a vuln? Your disclosure options:
1. Exploit it! Plant ransomware, steal cryptocurrency
2. Sell it to a broker. Add "journalist hacked" to the muted words list. Ignorance is bliss
3. Sell to your country's military. Patriotic.
4. Tell people who are affected by disclosing it

@sj youre leaving out the 5th option of sit on it indefinitely and do nothing, and the 6th option of sitting on it indefinitely and using it for fun or jokes and you cant look me in the post and tell me those arent real options homie

@sj these arent technically disclosure i guess, but neither is exploiting it unless you count accidentally

@sj chaotic alignment was lacking so I created a chart

@buherator @sj I love it

@buherator @sj sell to broker sounds more chaotic than ransomware to me, because that’d allow any of them to do ransom

@buherator @sj this is a bingo card, right?

@buherator @sj @cR0w I object strenuously.

Chaotic Good and Chaotic Neutral MUST be swapped at once.

@buherator @sj “exploit to spread memes”, yeah that sounds about right.

@buherator @sj feels like CG and TN are swapped

I second this.

@rootwyrm @buherator @sj @cR0w

@rootwyrm @cR0w @buherator @sj Lawful Good is at least not Good, on vendor terms has caused so many problems

@silverwizard @sj @cR0w @buherator ... good point. We should swap True Neutral and Lawful Good.

Or if we're being cynical, Neutral Evil and Lawful Good.

@rootwyrm @buherator @sj @cR0w idk, the axis of disclose -> do no harm -> harm feels pretty good/neutral/evil to me.

@buherator @sj Feels like keep private is true neutral, vendor timeline is lawful neutral, exploit patch is chaotic good, coordinated with deadline is lawful good, and full disclosure is neutral good. (Vendors that won't go with a reasonable deadline are too evil to be on the good line)

@ajn142 @buherator @sj @cR0w
memes -> Obviously gooder. Especially with our collective arsenal of ../ memes which also fulfill the disclosure part half the time!

@rootwyrm @buherator @sj @cR0w how dare you take this from us Chaotic Neutral types 😂

@buherator @sj I realize that mappings to D&D morality are necessarily inexact; but the idea that vendor's pet disclosure is the most lawful form of disclosure seems troublesome.

It seems like one of those 'lawfuls' that gets there because it would be the lawful good paladin who is kind of thick who thinks that letting the vendor weigh their self interest against customer security is totally different than letting a broker weigh their self interest against customer security.

@buherator @sj

"Exploit to spread memes" 🤌🏼

@fuzzyfuzzyfungus @buherator @sj

Lawful Good requires you put your personal judgement about Good aside in favor of what authorities say. And the conflict between that and Justice is real.

@buherator @sj more like Lawful Stupid

@buherator @sj
I once got my steam PfP changed by a random XSS exploit people were spreading around in chat messages. Defo a chaotic neutral moment!

@buherator @sj "Exploit to spread Memes" truely is a specimen.

@tbortels @buherator @sj Oh, definitely, no argument there. It's just that in the (honestly sort of weird) mixture of expansive criminalization and pure wild west that is software quality and information security the idea that 'responsible disclosure' is law-driven is basically a self-serving myth, with it typically on exactly the same legal ground as just publishing or selling to one of the 'we only work for the good guys' oppression professionals' brokers.

@buherator @sj

You inspired me to have a go myself:

LG: Post bug report + patch to vendor/distro security lists
NG: Post patch (no context) to reddit
CG: Exploit worm to distribute patch

LN: Bug report to vendor, no disclosure
TN: Bug report to bounty programme, responsible disclosure
CN: Bug report to reddit, full disclosure

LE: Sell exploit to your gov't
NE: Ransomware
CE: Post exploit to reddit

@buherator
I want a shirt with this xD It is yours, right? Do you happen to have a .SVG of this or something higher quality?
@sj

@joxean @sj nah its just a shitty bitmap from imgflip.shouldnt be too hard to create an svg, but I suck at graphics...