Apologies in advance if this is a bit long, but I hope something constructive can be done.
The recent suspensions of Cristiano Midnight and Cilis Nephilim have caused quite a bit of friction in the community. It is friction the residents and Linden Lab can do without.
Some accuse the moderators of not being even-handed. Some question the policy. But for me, those are not the questions to ask.
I’m looking to the future. I fully understand Linden Lab’s need for confidentiality of data regarding exploits and suspensions. I fully understand the gravity of exploits. I also understand the needs of the community with regard to the issue of exploits.
We don’t need any changes in policy. We only need a means of prevention. We can keep such ugly incidents from repeating.
1. Linden Lab needs that exploits not be disclosed. This is for damage control purposes obviously since the less people know how to perform an exploit, the less damage results.
2. The community needs to know that there’s a problem and how to protect themselves from such problems. This is also for damage control purposes. This aspect is not needed in typical MMOGs because there's no true user content to damage. But in SL, residents do have things they can lose.
What the community needs is a procedure or protocol to follow in the event of exploit discovery such that the above two needs are addressed.
Cristiano sent those warnings most likely because he had no idea if the exploit was already being handled or not. Since he felt unsure it was being handled, he took it upon himself to warn the community.
What I believe we need is improved feedback regarding status.
My suggestion is:
- The resident who has completed investigation of an exploit reports the exploit to Linden Lab using the bug report tool and places "EXPLOIT" in the title. (This procedure is a given, and is as stated by Brent Linden).
- The SL bug report system sends an automated message upon receipt. (Suggested add) What will be good after this is if a second message , sent manually by email and in-world IM, confirms when an investigator is actually looking into it. At least the reporting resident will know that the exploit is being handled already.
- At this point the reporting resident can rest.
- One hour or less after the manual message is sent a forum post is made by LL regarding the status. In the event that the investigation is not complete the announcement, without disclosing the exploit being investigated, should include preventive and protective measures residents should take.
So what answer am I seeking? Either.
- Is this protocol workable? or
- Is there an even better protocol that we can follow?
This way we avoid all future CrisMid cases.
