Again, the thing I don’t get about the hard deadline is: perhaps MS is fixing *other* serious bugs that it has found and which it judges are higher priority? Why do external researchers get to decide MS’s priorities without knowing the whole picture?https://twitter.com/taviso/status/1138469652571467776 …
-
-
Replying to @charlesarthur
Keeping a bug private doesn't mean that people don't know about it - especially folks who trade in 0Days - you could argue making it public just levels the playing field.
1 reply 0 retweets 1 like -
Replying to @steely_glint
you could, but it’s an argument from hypothesis. You’d do better to argue from empirical proof, if there is some.
1 reply 0 retweets 0 likes -
Replying to @charlesarthur @steely_glint
Nobody is telling anybody what to do, it's Microsoft's software and they can manage it any way they please. I just read the code, as many people do, then gave them three months notice I was going to state a fact about it publicly.
2 replies 0 retweets 4 likes -
Replying to @taviso @steely_glint
what if in fact it takes longer than three months to fix? A number of the serious examples here took longer than that. Would you advocate 90-day disclosure for those too? https://en.wikipedia.org/wiki/Responsible_disclosure …
2 replies 0 retweets 0 likes -
Replying to @charlesarthur @steely_glint
They can decline to fix bugs, schedule fixes for future versions in years to come, assign one developer or invest millions and assign dozens. Those are all valid options. It can take years to walk across the country or you can take a flight and be done in hours.
1 reply 0 retweets 0 likes -
I think your real question might be "shouldn't it be illegal to discuss/review/criticize commercial products without permission from the vendor?", and I don't think so. I certainly want to hear about design flaws in the products I use, whether the vendor likes it or not.
1 reply 0 retweets 2 likes -
Replying to @taviso @steely_glint
I can see the benefits of disclosure, eg if you have something where the company is clearly *refusing* to fix it and it’s very obvious (eg many IoT flaws). I’m certainly not suggesting making it illegal to discuss. That’s a bad idea. It’s about balancing risk from disclosure.
3 replies 0 retweets 0 likes -
Replying to @charlesarthur @steely_glint
That seems very easy to abuse, couldn't I just assign one overworked engineer to solve a problem and you're legally prevented from ever discussing it? Many customers would truly benefit from understanding the risks and flaws in the products they buy.
2 replies 0 retweets 0 likes
Does your opinion on this only apply to software, or all products. Like, if I learn about a safety flaw in a car, I shouldn't be allowed to warn anyone if the manufacturer hasn't actually *refused* to issue a recall? What about tainted food at a restaurant?
-
-
Replying to @taviso @steely_glint
I think that yoking different spaces together to try to uphold an argument in (an anomalous) one doesn’t help understand the role of disclosure in software security. Please answer about the DNS cache, Spectre and Meltdown examples.
1 reply 0 retweets 0 likes -
Replying to @charlesarthur @steely_glint
I have answered your question. You seem to be dodging mine by claiming I'm dodging yours, which seems really odd. If I find out a restaurant is serving tainted food, should I be required to keep quiet about it indefinitely while the company resolves it?
2 replies 0 retweets 0 likes - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.