https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html … <-- on patch gapping and n-day bugs being used as an easy way to score 0-day like capabilities (via @itswillis)
-
Show this thread
-
A very difficult problem to solve :(pic.twitter.com/eY4GlBASrB
1 reply 2 retweets 3 likesShow this thread -
Replying to @ryanaraine @itswillis
There's no right answer, but if you're going to take a "patch in the open" approach, then velocity is really important. The time between the patch being released and an update being made available to users should be as short as possible. Days, not weeks or months.
1 reply 0 retweets 2 likes -
With WebKit, the update cadence appears to be tied to OS releases, so the time frames can be uncomfortably long. That's probably a good place to start: find a way to update WKWebView and Safari through the App Store, and set up a biweekly release cadence.
1 reply 0 retweets 1 like
Of course I suspect there's good reasons why that hasn't happened yet! Network data overhead, storage space, performance, maintenance complexity, etc. But ultimately I think it's worth doing.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.