Today is day 91, so the issue is now public. I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it's worth being aware of. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
-
Show this thread
-
Replying to @taviso
I understand de-restricting issues after a certain time when the vendor have been unwilling to fix/acknowledge the bug, but it looks like you are in dialogue with the vendor who are working on a fix, so why not wait until the patch is out?
3 replies 0 retweets 16 likes -
-
Replying to @taviso
if MS had committed to fix it in 120 days, would it still have been de-destricted now?
1 reply 0 retweets 1 like -
-
Replying to @taviso
But you're working with vendors to make the Internet safer for all, so if the vendor, who has to do the work to fix it, says a deadline of 120 days, why not respect that, I honestly don't understand the inflexibility, certainly when dealing with this particular vendor
3 replies 0 retweets 14 likes -
Replying to @gaztunnock
The policy is *highly* flexible, any number of days between 0 and 90 is acceptable. In addition, if an update or patch was already scheduled within 14 days of the deadline, we offer a "grace period" to align the schedule.
4 replies 1 retweet 39 likes -
Replying to @taviso
So in your opinion (or is it Google’s opinion?), all vulnerabilities (from low to critical) should be fixed within 90 days?
3 replies 0 retweets 8 likes -
Replying to @shhnjk
Three months is way too high in my opinion, it's a compromise. In open source, the norm is closer to 90 hours. Linus famously tells people not to tell him about bugs if you want them kept secret for more than two weeks, because he'll just fix them.
2 replies 5 retweets 63 likes -
But is a fix committed to a repo sufficient to call it fixed? 90 days usually includes notifying customers, testing, preparing builds, etc. Just slapping a fix into a repo doesn't really address the hardships of getting that fix onto customer devices.
1 reply 0 retweets 1 like
I don't think anyone claims that. However, I do claim that once the patch is available then the vulnerability is essentially public, and everyone is better served with full and complete data. This is part of a very old debate about "silent patching", you can research it.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.