I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
-
-
So in your opinion (or is it Google’s opinion?), all vulnerabilities (from low to critical) should be fixed within 90 days?
-
Three months is way too high in my opinion, it's a compromise. In open source, the norm is closer to 90 hours. Linus famously tells people not to tell him about bugs if you want them kept secret for more than two weeks, because he'll just fix them.
- 16 more replies
New conversation -
-
-
Excuse my minutiae inquiry, but was this decision (canceling grace period) communicated prior to or post derestriction? Did MS explicitly waive the grace period? i.e. “we can give you 14 days grace, but July is too far and we would have to derestrict, can you make it in 14?”
-
It only applies if there is an update already scheduled. It's not just a free 14 day extension. We settled on 90 days, but try to accommodate vendors with rigid patch schedules like Microsoft.
- 5 more replies
New conversation -
-
-
I think 14 days is fair. I did that with
@Cisco to align with their patch release cycle. https://srcincite.io/advisories/src-2019-0034/ …Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Considering the 0-90 days is set by P0 I don't think that can be used as an example of flexibility. I didn't know about the 14 grace period. The vendor said the fix will be pushed in ~28 days, so for the sake of waiting 14 days you've disclosed a bug making the Internet less safe
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.