Project Zero Policy and Disclosure: 2020 Edition -- https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html …
Great question, I'm definitely concerned about it and it was a big part of our discussions. Talking to a lot of vendors, they're generally aware of this type of analysis, but it wasn't always the biggest factor in terms of motivating them to improve patch speed/quality/adoption.
-
-
For the vendors that want to disclose information closer to the patch date, we still have that option though. I suspect quite a few will still want to align disclosure around security bulletins.
-
I think you're right that attacker's are incentivized to study patches in more detail than defenders though, so we'll be looking very closely at the gap between patch and disclosure to make sure the policy is well balanced.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.