Project Zero Policy and Disclosure: 2020 Edition -- https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html …
-
-
Replying to @benhawkes
I thought part of disclosure at patch time was to ensure everyone has access to the vulnerability information. Is there any concern with the subset of people doing patch analysis knowing more than everyone else?
1 reply 1 retweet 0 likes -
Replying to @Junior_Baines
Great question, I'm definitely concerned about it and it was a big part of our discussions. Talking to a lot of vendors, they're generally aware of this type of analysis, but it wasn't always the biggest factor in terms of motivating them to improve patch speed/quality/adoption.
1 reply 0 retweets 0 likes -
Replying to @benhawkes @Junior_Baines
For the vendors that want to disclose information closer to the patch date, we still have that option though. I suspect quite a few will still want to align disclosure around security bulletins.
1 reply 0 retweets 0 likes
I think you're right that attacker's are incentivized to study patches in more detail than defenders though, so we'll be looking very closely at the gap between patch and disclosure to make sure the policy is well balanced.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.