We're seeing a lot of incomplete or broken security fixes recently, across the board. Presumably this is leading to a lot of cheap bugs for attackers, who are generally going to be more incentivized to analyze patches than defenders are.
-
-
One of the options that we'd like to explore is being more involved in the patching process. We don't have a great level of engineer-to-engineer dialogue about this stuff, and we could be helping spot gaps early if we had more visibility.
-
I think involving researchers in the patch validation process is an interesting idea, but it does come with its own set of challenges. For example, if a researcher finds a variant or a bug in the fix, does that reset the disclosure clock (e.g. to ensure partial fix doesn't ship)?
-
It's up for discussion. Currently for broken fixes it would probably be considered the same finding, not a new bug report. Variants are trickier -- when does a bug become two bugs? Either way, the aim would be to surface concerns early enough that a timely fix is still practical.
-
Yep, agree on the aim. I think it raises an interesting question on which path creates more risk: shipping a fix that is known to be partial/buggy (that attackers might spot & exploit) vs. delaying disclosure for a complete fix (for an issue attackers might already be exploiting)
-
That may be a bit too close to the time-honored and much-loved tradition of disclosure debates on twitter, though. I definitely don't want to open that box of fun ;)
- End of conversation
New conversation -
-
-
Days of engineering, perhaps. Days of testing, on the contrary...;) (Engineering is hardly the long part of pushing out something). More involvement is definitely good, but adds time. I consider it part of testing.
-
Lets be realistic. Only a fraction of people reporting vulnerabilities 1) know the root cause 2) are capable of mitigating the issue 3) care about the fix at all 4) understand sw eng practices and the enormous amount of work reqd to implement, test, push out that mitigation
- 2 more replies
New conversation -
-
-
I’ve rarely heard of researchers being difficult on disclosure timelines because someone made a decent effort but more issues were found. Also it’s not unusual all the best bugs explode into a cascading hell of realising it’s worse than you first thought.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.