We're seeing a lot of incomplete or broken security fixes recently, across the board. Presumably this is leading to a lot of cheap bugs for attackers, who are generally going to be more incentivized to analyze patches than defenders are.
-
-
I think involving researchers in the patch validation process is an interesting idea, but it does come with its own set of challenges. For example, if a researcher finds a variant or a bug in the fix, does that reset the disclosure clock (e.g. to ensure partial fix doesn't ship)?
-
It's up for discussion. Currently for broken fixes it would probably be considered the same finding, not a new bug report. Variants are trickier -- when does a bug become two bugs? Either way, the aim would be to surface concerns early enough that a timely fix is still practical.
-
Yep, agree on the aim. I think it raises an interesting question on which path creates more risk: shipping a fix that is known to be partial/buggy (that attackers might spot & exploit) vs. delaying disclosure for a complete fix (for an issue attackers might already be exploiting)
-
That may be a bit too close to the time-honored and much-loved tradition of disclosure debates on twitter, though. I definitely don't want to open that box of fun ;)
- End of conversation
New conversation -
-
-
Want you distribute patches yourself via zero patch distributed with chrome
-
We're down with this. Thanks Dave! DMs are open.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.