I understand de-restricting issues after a certain time when the vendor have been unwilling to fix/acknowledge the bug, but it looks like you are in dialogue with the vendor who are working on a fix, so why not wait until the patch is out?
-
-
-
Replying to @taviso
if MS had committed to fix it in 120 days, would it still have been de-destricted now?
1 reply 0 retweets 1 like -
-
Replying to @taviso
But you're working with vendors to make the Internet safer for all, so if the vendor, who has to do the work to fix it, says a deadline of 120 days, why not respect that, I honestly don't understand the inflexibility, certainly when dealing with this particular vendor
3 replies 0 retweets 14 likes -
Replying to @gaztunnock
The policy is *highly* flexible, any number of days between 0 and 90 is acceptable. In addition, if an update or patch was already scheduled within 14 days of the deadline, we offer a "grace period" to align the schedule.
4 replies 1 retweet 39 likes -
Replying to @taviso @gaztunnock
Excuse my minutiae inquiry, but was this decision (canceling grace period) communicated prior to or post derestriction? Did MS explicitly waive the grace period? i.e. “we can give you 14 days grace, but July is too far and we would have to derestrict, can you make it in 14?”
2 replies 0 retweets 0 likes -
Replying to @jifa @gaztunnock
It only applies if there is an update already scheduled. It's not just a free 14 day extension. We settled on 90 days, but try to accommodate vendors with rigid patch schedules like Microsoft.
1 reply 0 retweets 1 like -
Replying to @taviso @gaztunnock
Not saying it’s free, just accommodating for real life patch deployment issues (which on the surface appears to look like this case - ms actively working on a patch, find additional issues, then waive grace?...) So was grace cancellation explicit or implicit?
2 replies 0 retweets 0 likes -
Replying to @jifa @gaztunnock
It isn't for accommodating deployment issues. That's what the 90 days are for - developing and testing patches. The grace period is *only* for syncing with a previously scheduled patch window, and does not apply here.
2 replies 0 retweets 2 likes
Three months is a very generous amount of time to develop and deploy a patch. If your vendor claims otherwise, then what are they going to do when a 0day is found in the wild? Ask the hackers for a 14 day grace extension? 
-
-
So re https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html?m=1 … If you reported on 27 Feb, and patched 1 Mar, and disclosed 7 Mar, then it either took Google just shy of 90 days to release a patch (knowing it was being exploited in the wild), or you gave MS like 2 weeks to fix. Either way...
1 reply 0 retweets 0 likes -
Go reread, that was being actively exploited in the wild, and a practical mitigation was available (upgrade windows). The 90 day policy is about holes Google P0 finds, not stuff being exploited in the wild.
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.