Again, the thing I don’t get about the hard deadline is: perhaps MS is fixing *other* serious bugs that it has found and which it judges are higher priority? Why do external researchers get to decide MS’s priorities without knowing the whole picture?https://twitter.com/taviso/status/1138469652571467776 …
That seems very easy to abuse, couldn't I just assign one overworked engineer to solve a problem and you're legally prevented from ever discussing it? Many customers would truly benefit from understanding the risks and flaws in the products they buy.
-
-
Does your opinion on this only apply to software, or all products. Like, if I learn about a safety flaw in a car, I shouldn't be allowed to warn anyone if the manufacturer hasn't actually *refused* to issue a recall? What about tainted food at a restaurant?
-
I think that yoking different spaces together to try to uphold an argument in (an anomalous) one doesn’t help understand the role of disclosure in software security. Please answer about the DNS cache, Spectre and Meltdown examples.
- 4 more replies
New conversation -
-
-
to repeat: I don’t support making disclosure illegal. also to repeat: it seems to me to be about balance. Also to repeat, because you didn’t answer: should DNS cache poisoning have been disclosed after 90 days, even though not fixed?
-
No, I think three months is far too long to sit on information about dangerous product design flaws. This view isn't shared universally, some people believe it's best to trust the vendor to act in your best interests. Others prefer autonomy and want to make their own decisions.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.