Man, this is petty. The Microsoft of 2019 is not the Microsoft of 1999 or even 2009. You don't need to prompt them with this stunt. MS said they would get the patch delivered in the July update because they wanted improved testing. Microsoft is not the problem in this scenario.https://twitter.com/taviso/status/1138469652571467776 …
-
-
Replying to @taosecurity
Those of us actually on the frontlines of vulnerability research deal with something a little different. The Microsoft you're so enamored with didn't just appear, we had to fight for it. What's petty is hurling insults without even putting in some effort to understand context.
1 reply 5 retweets 164 likes -
Replying to @taviso
I'm not on the frontlines of vuln research but I care about people who have to deal with the mess you disclosed, needlessly early in my opinion. It's not like Microsoft was ignoring or disrespecting you. Seriously, I expected better from someone who's been around as long as you.
16 replies 3 retweets 39 likes -
Replying to @taosecurity
Vulnerability disclosure is a vast and nuanced field, that you are clearly not familiar with. Should I start techsplaining your field to you? I know nothing about it, but I can't wait to second guess all the decisions you've made and explain how petty you are. Do better Richard.
5 replies 3 retweets 131 likes -
Replying to @taviso @taosecurity
While I agree with the sentiment of your response to Richard...and don’t begrudge your tone given his, surely you agree that your actions aren’t above review and even criticism, if well articulated and justified.
2 replies 0 retweets 4 likes -
Replying to @quorumneeded @taosecurity
Tavis Ormandy Retweeted Steve Christey Coley
Of course not, but it is fair to request basic familiarity with the topic before pulling out the insults. There's little new to cover though, so most people familiar with the debate are tired of discussing it. Here's some starter reading,https://twitter.com/SushiDude/status/1137091547604930560 …
Tavis Ormandy added,
1 reply 4 retweets 39 likes -
@taviso I'm curious about your insights into financial bug bounty programs. Should researchers who are looking for $ still be holding vendors to 90-day disclosure windows? Should@Hacker0x01 and@Bugcrowd be allowing companies to run bounty programs that forbid public disclosure?1 reply 0 retweets 0 likes -
Replying to @JLLeitschuh @taviso and
What do you mean "allowing"? How would they stop them?
1 reply 0 retweets 1 like -
Replying to @BenLaurie @taviso and
I guess the better way to phrase that is "should we be discouraging them from allowing companies to have programs that forbid disclosure." You're right, we can't stop them from doing this. (1/2)
1 reply 0 retweets 0 likes -
Replying to @JLLeitschuh @BenLaurie and
I wish that
@Hacker0x01 and@Bugcrowd allowed researchers to have their own disclosure policies. I've been threatened by@Hacker0x01 staff that I'd be kicked off the platform if I tried to enforce a 90-day disclosure policy even though I was willing to give up the bounty. (2/2)2 replies 0 retweets 2 likes
Hmmm, that doesn't sound okay. I think it's totally acceptable for vendors to set whatever rules they like for their bounty programme, and you always have the right to not participate - but it wouldn't be okay to threaten retaliation.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.