I can relate to your frustration and I don't care about vendors much myself, but I do care about end users. If you feel they are best served by releasing the 0-say to show how bad the security is, do include the communication in full to show how bad @vanilla handled it.
-
-
... but users may not be aware if there is little media response until they get owned using your 0day (trust me, I've been there), which is the opposite of what you want to achieve.
-
Well yes, the hype cycle is important, I reluctantly admit that having a name/logo/theme song for your vulnerability can help drive patch adoption. On the other hand, eternal blue hit hard despite the disclosure and patches being available.
-
Yes, it's certainly not black and white. Just wanted to caution against venting frustration through 0-day if that would otherwise not help. But if a vendor is truly failing to secure their users, that should be made *very* public indeed. (
@PwnieAwards FTW!) -
Let’s see, no CVE’s ever assigned, misguided commit messages to actual reasons for code change... disclosure after like 6 months...
@vanilla is doing the pay4silence thing on@Hacker0x01. -
I can only second
@berendjanwever here.
Users are not guilty of anything here, vendor is. -
So when vendor has a bug bounty that restricts disclosure and doesn’t provide auto update features or reference security fixes in the change log it is supposedly helping keep users safe by communicating with the vendor so they can maintain status quo where users aren’t updating?
-
Little empathy guys, dropping stuff should be last resort option not the first thought when vendor is not responding for a week or not assigning cve.
-
Or perhaps you’re not dealing with disclosure at scale, there is a limit to how much time an individual can invest in chasing disclosure with reluctant vendors
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.