I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
My answer is that the current methods are broken: a disservice to honest software makers. And a disservice to the research community’s profoundly important contributions. Mostly, one way or other, it’s users who lose
-
That's a very vendor-centric opinion, that your users lose by understanding the limitations and risks of your products. Many people (like me) disagree, and believe your users win by understanding the risks and flaws products pose.
- 5 more replies
New conversation -
-
-
also according to https://www.microsoft.com/en-us/msrc/bounty-terms?rtc=1 … You must follow Coordinated Vulnerability Disclosure (CVD) when reporting all Vulnerabilities to Microsoft. IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.
-
In other words.. If you don't want to give us an indefinite timeline we don't want to see it. No matter the risk to out customers.
End of conversation
New conversation -
-
-
This is bigger than a tweet interchange. Yes! There are dishonest vendors (how to arm twist?) Yes, there are complex fixes. Yes, there are emergencies, but far more issues will NEVER be exploited.
-
It's fun and easy to play the numbers games when you're not the victim. In general, zero-day exploitation does not does not involve large numbers that can be tracked by honeypots or whatever, but the impact is very large. You have zero data to backup "NEVER", and I disagree.
End of conversation
New conversation -
-
-
“Users who lose”? The vast majority of users haven’t the sophistication to understand their risks, much less address them (I mean, the connected 3.5B people)
-
I don't have the mechanical sophistication to understand any design flaws in a carburetor. Is that a good reason to not send me a vehicle recall notice?
End of conversation
New conversation -
-
-
Attempting to force a single approach on every situation is a disservice. We have to do better than that. We must. Our users depend upon our knowledge to protect them
-
Absolutely disagree, this is basically "we must balance the needs of the vendors with the needs of the users". Is it so unreasonable a position to say, "I don't particularly care about the needs of the vendors"?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
