Man, this is petty. The Microsoft of 2019 is not the Microsoft of 1999 or even 2009. You don't need to prompt them with this stunt. MS said they would get the patch delivered in the July update because they wanted improved testing. Microsoft is not the problem in this scenario.https://twitter.com/taviso/status/1138469652571467776 …
-
-
Replying to @taosecurity
Those of us actually on the frontlines of vulnerability research deal with something a little different. The Microsoft you're so enamored with didn't just appear, we had to fight for it. What's petty is hurling insults without even putting in some effort to understand context.
1 reply 5 retweets 164 likes -
Replying to @taviso
I'm not on the frontlines of vuln research but I care about people who have to deal with the mess you disclosed, needlessly early in my opinion. It's not like Microsoft was ignoring or disrespecting you. Seriously, I expected better from someone who's been around as long as you.
16 replies 3 retweets 39 likes -
Replying to @taosecurity @taviso
disclosure policies exist for a reason. Tavis followed his and it was up to MSRC to prevent the mess. Maybe stay in your lane?
2 replies 0 retweets 23 likes -
Well Sandbox Escaper also follows her own 0-day disclosure policy. Where do you draw the line of what's responsible?
1 reply 0 retweets 0 likes -
Replying to @lasq88 @hellNbak_ and
Maybe between 90 days and tweets like 'I hate the world so here is a 0 day'
1 reply 1 retweet 7 likes -
Replying to @avasdream_ @hellNbak_ and
From attitiude/moral perspective yes. But is there a difference in impact between releasing unpatched bug after 0 days and after 90 days?
1 reply 0 retweets 1 like -
Replying to @lasq88 @avasdream_ and
Yes, companys could choose to roll-out their update faster due to public attention and not wait ( f.e. untill july). Since most (smaller) patches stay on the shelf for some time for major updates.
2 replies 0 retweets 0 likes -
Replying to @C0ldlip @avasdream_ and
Unfortunately, users of said software are usually the ones who pay the price of such disclosure, not the vendor. I just wonder if it was unautheticated RCE, would they also release it on 91 day.
1 reply 0 retweets 1 like
The policy applies to all vulnerabilities. If your vendor literally cannot patch an exploit found in the wild within three months, that sounds like something most users would want to know about. If you don't want to know, you're free to not read vulnerability reports.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.