P0 is pretty close to what I would do if P0’s job was my job.
-
-
Replying to @tqbf
P0 will hold a vuln confidential for up to 90 days if no patch, right? (Tweeting seems to be orthogonal to their published policy)
3 replies 0 retweets 0 likes -
Replying to @matthew_d_green @tqbf
Nonsense. They keep details private. The fact that they sent a report is not confidential. Why is that so hard to understand?
1 reply 0 retweets 3 likes -
Thomas made an argument for immediate PoC disclosure. This is much more aggressive than P0's current disclosure policy.
3 replies 0 retweets 0 likes -
I was asking if he disagreed with Google's policy in general, not with Tavis's tweeting about it.
1 reply 0 retweets 0 likes -
And to recap the Q I've asked like 10x in this thread: if you knew Tavis's tweet did increase the rate/speed of malicious exploitation...
2 replies 0 retweets 0 likes -
... would you care?
2 replies 0 retweets 0 likes -
Replying to @matthew_d_green @i0n1c
Still underspecified. Can I mitigate without a patch? If so: delay for patch harms me, regardless of exploit rate.
1 reply 0 retweets 3 likes -
But of course, unstated logic here is: unreasonable to expect people to disable services to avoid security flaw. That’s fucked.
1 reply 0 retweets 0 likes -
Note that I'm not ruling out some kind of disclosure. Just something short of "put it in the blog".
1 reply 0 retweets 0 likes
this is why I miss vine, it was the perfect middle ground
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.