Three months is way too high in my opinion, it's a compromise. In open source, the norm is closer to 90 hours. Linus famously tells people not to tell him about bugs if you want them kept secret for more than two weeks, because he'll just fix them.
-
-
Replying to @taviso
But even well funded open source software like Chrome still has a dozen of vulns unfixed for a year (and this is just my bugs). I’m hoping that you’ll convince Chrome to fix my bugs within 90 hours so that I can get bounties within a week :D
1 reply 4 retweets 17 likes -
Replying to @shhnjk
I don't really have any opinion on bounties sorry, my first thought is that the bounty operator can dictate any terms they like and you have the right to not participate? Happy to hear the counter-argument.
2 replies 0 retweets 5 likes -
Replying to @taviso
Oh, bounty part was just a humor
My point was, even Chrome can’t do 90 days deadlines for all vulnerabilities.1 reply 0 retweets 2 likes -
Replying to @shhnjk
I think Chrome has a pretty stellar track record on this, and can totally manage 90 days. Give me the bug number and I'll take a look, it's hard for me to believe they're sitting on a 0day for over a year.
4 replies 0 retweets 13 likes -
Replying to @taviso
Following are vulns (per Chrome team) that's unfixed for more than a year (oldest one is reported on 2015
)
538562
771596
772759
794382
799041
802007
821625
821626
821628
821630
821632
821634
823241
823737
830101
830808
831731
831761
8478481 reply 0 retweets 20 likes -
Replying to @shhnjk
I clicked through a few, they mostly don't seem like they need to be private to me. I can ping some Chrome developers and say you want them public if you like, it seems fine to me... I would have just made these public.
2 replies 0 retweets 2 likes -
How many undisclosed vulnerabilities does Google have? If your going to say you need to publish vulnerabilities for one company, you should do it for all. Also, why are you asking for permission to disclose from Devs...that's not how the system is supposed to work?
1 reply 0 retweets 0 likes -
Replying to @lynnhtowle @shhnjk
We do publish all our vulnerabilities, including vulnerabilities in Google products, we're transparent and apply our policy consistently to all vendors. I don't understand your other question.
1 reply 0 retweets 1 like -
The Google + vulnerability shows that in fact Google does not disclose all vulnerabilities, so how many more have not been disclosed? If a vulnerability was discovered, and has gone past 90 days, as shown by Jun, why are you asking permission from devs to make it public?
1 reply 0 retweets 1 like
Uhhhhh, I work on Project Zero, I can't control what Google+ does any more than I can control what the cafeteria serves.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.