We're seeing a lot of incomplete or broken security fixes recently, across the board. Presumably this is leading to a lot of cheap bugs for attackers, who are generally going to be more incentivized to analyze patches than defenders are.
-
-
I think involving researchers in the patch validation process is an interesting idea, but it does come with its own set of challenges. For example, if a researcher finds a variant or a bug in the fix, does that reset the disclosure clock (e.g. to ensure partial fix doesn't ship)?
-
It's up for discussion. Currently for broken fixes it would probably be considered the same finding, not a new bug report. Variants are trickier -- when does a bug become two bugs? Either way, the aim would be to surface concerns early enough that a timely fix is still practical.
- 3 more replies
New conversation -
-
-
Want you distribute patches yourself via zero patch distributed with chrome
-
We're down with this. Thanks Dave! DMs are open.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.