We're seeing a lot of incomplete or broken security fixes recently, across the board. Presumably this is leading to a lot of cheap bugs for attackers, who are generally going to be more incentivized to analyze patches than defenders are.
-
-
One of the options that we'd like to explore is being more involved in the patching process. We don't have a great level of engineer-to-engineer dialogue about this stuff, and we could be helping spot gaps early if we had more visibility.
-
I think involving researchers in the patch validation process is an interesting idea, but it does come with its own set of challenges. For example, if a researcher finds a variant or a bug in the fix, does that reset the disclosure clock (e.g. to ensure partial fix doesn't ship)?
- 4 more replies
New conversation -
-
-
Days of engineering, perhaps. Days of testing, on the contrary...;) (Engineering is hardly the long part of pushing out something). More involvement is definitely good, but adds time. I consider it part of testing.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I’ve rarely heard of researchers being difficult on disclosure timelines because someone made a decent effort but more issues were found. Also it’s not unusual all the best bugs explode into a cascading hell of realising it’s worse than you first thought.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.