I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
-
-
But even well funded open source software like Chrome still has a dozen of vulns unfixed for a year (and this is just my bugs). I’m hoping that you’ll convince Chrome to fix my bugs within 90 hours so that I can get bounties within a week :D
-
I don't really have any opinion on bounties sorry, my first thought is that the bounty operator can dictate any terms they like and you have the right to not participate? Happy to hear the counter-argument.
- 14 more replies
New conversation -
-
-
But is a fix committed to a repo sufficient to call it fixed? 90 days usually includes notifying customers, testing, preparing builds, etc. Just slapping a fix into a repo doesn't really address the hardships of getting that fix onto customer devices.
-
I don't think anyone claims that. However, I do claim that once the patch is available then the vulnerability is essentially public, and everyone is better served with full and complete data. This is part of a very old debate about "silent patching", you can research it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.