It just seems like a straw man argument, users are kept safe by secure development and patch adoption. Disclosure practices have very little impact on patch adoption in my experience.
-
-
-
Disagree: secure development can't prevent 0-day and you can't patch for it either. Disclosure practices have a large impact on PR and potential attacks against users. If your goal is to secure users, releasing 0-day may help to convince users to stop using the product.
-
... but users may not be aware if there is little media response until they get owned using your 0day (trust me, I've been there), which is the opposite of what you want to achieve.
-
Well yes, the hype cycle is important, I reluctantly admit that having a name/logo/theme song for your vulnerability can help drive patch adoption. On the other hand, eternal blue hit hard despite the disclosure and patches being available.
-
Yes, it's certainly not black and white. Just wanted to caution against venting frustration through 0-day if that would otherwise not help. But if a vendor is truly failing to secure their users, that should be made *very* public indeed. (
@PwnieAwards FTW!) -
Let’s see, no CVE’s ever assigned, misguided commit messages to actual reasons for code change... disclosure after like 6 months...
@vanilla is doing the pay4silence thing on@Hacker0x01. -
I can only second
@berendjanwever here.
Users are not guilty of anything here, vendor is. -
So when vendor has a bug bounty that restricts disclosure and doesn’t provide auto update features or reference security fixes in the change log it is supposedly helping keep users safe by communicating with the vendor so they can maintain status quo where users aren’t updating?
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.