I wonder if this increases the value of patch diffing results. Because P0 will not disclose what the bugs are for a long time which automatically makes patch diffing more attractive
https://twitter.com/i0n1c/status/1214621661099646989 …
-
-
Related to this, note that we're going to be paying much more attention to variants: "Details of incomplete fixes will be reported to the vendor and added to the existing report (which may already be public)"
-
Also I suspect quite a few vendors will still want to align disclosure around security bulletins, and that's still an option.
- 2 more replies
New conversation -
-
-
While I respect the rationale behind the new policy and the decision to put it under a test period, I personally think that this will give offensive parties a huge advantage 1/2
-
n-day exploits are still very valid and valuable on most platforms (especially when it comes to partial patches) and usually exceeds by far the budget/value ratio defensive parties can benefit from. 2/2
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
