I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
Replying to @mattaustin @taviso
IMHE, PSIRT MUST always respond and stay engaged. But, arbitrary fix periods fail to take into account the vast range of fix complexities from 1 line of code to a complete redesign. Therein lies the challenge: all fixes are not equal and cannot be treated as such
1 reply 0 retweets 3 likes -
Replying to @BrkSchoenfield @mattaustin
Two things, that's a convenient excuse ("You just don't understand how complex it is", and then the patch is trivial and obvious). Secondly, you can fix your software whenever you like, that should not delay warning the user base about the danger they're exposed to.
4 replies 1 retweet 11 likes -
Here's an excellent example, Microsoft literally told customers this bug was too complex to fix in 3 months, but ended up being the trivial oneline check we assumed it would be. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
1 reply 1 retweet 12 likes -
You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times.
3 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
Sometimes mistakes are made. When I had to deal with PSIRT, I was always interested in solutions from reporters. But then, I can cite many examples where the fix appeared trivial and was not - at least, to do it correctly.
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
You don't see the problem with "just give PSIRT as much time as they like", while the users sit there vulnerable?
6 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
This is bigger than a tweet interchange. Yes! There are dishonest vendors (how to arm twist?) Yes, there are complex fixes. Yes, there are emergencies, but far more issues will NEVER be exploited.
1 reply 0 retweets 0 likes
It's fun and easy to play the numbers games when you're not the victim. In general, zero-day exploitation does not does not involve large numbers that can be tracked by honeypots or whatever, but the impact is very large. You have zero data to backup "NEVER", and I disagree.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.