Nobody is telling anybody what to do, it's Microsoft's software and they can manage it any way they please. I just read the code, as many people do, then gave them three months notice I was going to state a fact about it publicly.
-
-
Replying to @taviso @steely_glint
what if in fact it takes longer than three months to fix? A number of the serious examples here took longer than that. Would you advocate 90-day disclosure for those too? https://en.wikipedia.org/wiki/Responsible_disclosure …
2 replies 0 retweets 0 likes -
Replying to @charlesarthur @steely_glint
They can decline to fix bugs, schedule fixes for future versions in years to come, assign one developer or invest millions and assign dozens. Those are all valid options. It can take years to walk across the country or you can take a flight and be done in hours.
1 reply 0 retweets 0 likes -
I think your real question might be "shouldn't it be illegal to discuss/review/criticize commercial products without permission from the vendor?", and I don't think so. I certainly want to hear about design flaws in the products I use, whether the vendor likes it or not.
1 reply 0 retweets 2 likes -
Replying to @taviso @steely_glint
I can see the benefits of disclosure, eg if you have something where the company is clearly *refusing* to fix it and it’s very obvious (eg many IoT flaws). I’m certainly not suggesting making it illegal to discuss. That’s a bad idea. It’s about balancing risk from disclosure.
3 replies 0 retweets 0 likes -
Replying to @charlesarthur @steely_glint
That seems very easy to abuse, couldn't I just assign one overworked engineer to solve a problem and you're legally prevented from ever discussing it? Many customers would truly benefit from understanding the risks and flaws in the products they buy.
2 replies 0 retweets 0 likes -
Does your opinion on this only apply to software, or all products. Like, if I learn about a safety flaw in a car, I shouldn't be allowed to warn anyone if the manufacturer hasn't actually *refused* to issue a recall? What about tainted food at a restaurant?
1 reply 0 retweets 1 like -
Replying to @taviso @steely_glint
I think that yoking different spaces together to try to uphold an argument in (an anomalous) one doesn’t help understand the role of disclosure in software security. Please answer about the DNS cache, Spectre and Meltdown examples.
1 reply 0 retweets 0 likes -
Replying to @charlesarthur @steely_glint
I have answered your question. You seem to be dodging mine by claiming I'm dodging yours, which seems really odd. If I find out a restaurant is serving tainted food, should I be required to keep quiet about it indefinitely while the company resolves it?
2 replies 0 retweets 0 likes -
Replying to @taviso @steely_glint
I think the restaurant/food analogy is bad, because software is far buggier than food, because there are strong regulations around food. None around software. I missed your answer on DNS/Spectre/Meltdown. What was it?
2 replies 0 retweets 0 likes
Wait, software is an unregulated wildwest so vendors must be trusted and protected from criticism? Shouldn't it be the opposite, we need more transparency and accountability because it's not as well regulated as other industries?
-
-
Replying to @taviso @steely_glint
I’m not saying that. I’m saying you’re comparing extremely unlike things, which makes the comparison meaningless. I’d rather focus just on software, please.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.