Man, this is petty. The Microsoft of 2019 is not the Microsoft of 1999 or even 2009. You don't need to prompt them with this stunt. MS said they would get the patch delivered in the July update because they wanted improved testing. Microsoft is not the problem in this scenario.https://twitter.com/taviso/status/1138469652571467776 …
-
-
Replying to @taosecurity
I’m going to side w/
@taviso on this. 90 days is plenty of time and vendors should be held to the consequences of not responsibly fixing security issues. As consumers, IT/sec pros, etc. we put a lot of trust in these companies. Telling us they need “testing time” is stalling.3 replies 0 retweets 5 likes -
This affects anything related to windows crypto. If the fix is not trivial and/or has potential side effects, consider *how many* pieces of software on how many machines could be impacted. Oh but some dude from Google with no responsibility thinks that 90 days is plenty. Ok then
1 reply 1 retweet 6 likes -
Um...the term “responsible disclosure” comes to mind here. There are researchers that post vulns and POC code without notifying the vendor; putting the world at risk. Responsible researchers give the minimum of 90 days before going public. 3 mons. is plenty of time to fix a vuln
1 reply 0 retweets 0 likes -
This Tweet is unavailable.
-
Replying to @dogsbollards @j_stauffer and
In your opinion, Microsoft are literally incapable of fixing a Windows exploit safely in three months? That's bad news, as Windows zero days are found in the wild quite regularly. Would you say that it's dangerous to use Windows in any mission critical role because of this?
2 replies 0 retweets 4 likes -
This Tweet is unavailable.
-
Replying to @dogsbollards @taviso and
It’s not our “arbitrary 90 days.” This is the agreed upon term limit responsible vuln researchers use. So what is a reasonable time limit? There’s no money in vuln management, ergo; typically not a priority. All this time they’re “looking into it,” your system is vulnerable.
1 reply 0 retweets 2 likes -
Replying to @j_stauffer @dogsbollards and
Microsoft fix bugs in under 90 days all the time, as do other big OS vendors, I’m sure you’ve experienced that before in your position
@taviso. Not all bugs are the same though, so to have a policy as black and white as 90 days or GTFO seems bad...1 reply 0 retweets 1 like
This "black and white" argument is absolute nonsense, you can choose any number of days you like to leave your users vulnerable. So long as that number doesn't exceed 90. That is how deadlines work.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.