I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
Here's an excellent example, Microsoft literally told customers this bug was too complex to fix in 3 months, but ended up being the trivial oneline check we assumed it would be. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
-
You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times.

- 9 more replies
New conversation -
-
-
The typical case is that reporter and vendor have information that no one else has. Too often, required preconditions are privileged, tortured, or artificial. Hence announcement does not give users useful info; in fact, FUD
-
Think about what you're saying. Your position is effectively "when we lack data, we must favor the vendor", why? This is why I keep saying "convenient". Neither of us can say what attackers are doing with the active trade in exploits, but "probs nothing" is pretty optimistic, no?
- 7 more replies
New conversation -
-
-
I really dislike your innuendos to subvert what I’ve written. However, skipping past bad interchange, yes: if there is a likely threat, it should be called out to users (i.e., publicly). That situation is fairly rare, IMH analysis (I’ve analyzed 1000’s of issues)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
The trick is to know the difference between that which the user MUST know to protect themselves and that which will likely be irrelevant. That is OUR job: researchers, PSIRT, and independent analysts such as myself.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.