I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
Sometimes mistakes are made. When I had to deal with PSIRT, I was always interested in solutions from reporters. But then, I can cite many examples where the fix appeared trivial and was not - at least, to do it correctly.
-
You don't see the problem with "just give PSIRT as much time as they like", while the users sit there vulnerable?
- 7 more replies
New conversation -
-
-
A single example of a botched fix proves nothing. Sit on the other side contending with a report that is a symptom of a bigger design issue which will take 18 months to truly fix. That 90 day clock ends with a zero day about which user can do nothing. Not pretty
-
It proves plenty, it proves that vendors are willing to pull out any excuse to not fix vulnerabilities in a timely manner. I've been on both sides of the disclosure process, and see good reason to not just give vendors whatever they ask for.
- 8 more replies
New conversation -
-
-
How many “users” have you talked with? You know, those millions who believe that their AV “just takes care of it”. Your grandmother. Your cousin’s friend.
-
That is a really bizarre non-sequitur.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
