I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
Replying to @mattaustin @taviso
IMHE, PSIRT MUST always respond and stay engaged. But, arbitrary fix periods fail to take into account the vast range of fix complexities from 1 line of code to a complete redesign. Therein lies the challenge: all fixes are not equal and cannot be treated as such
1 reply 0 retweets 3 likes -
Replying to @BrkSchoenfield @mattaustin
Two things, that's a convenient excuse ("You just don't understand how complex it is", and then the patch is trivial and obvious). Secondly, you can fix your software whenever you like, that should not delay warning the user base about the danger they're exposed to.
4 replies 1 retweet 11 likes -
Here's an excellent example, Microsoft literally told customers this bug was too complex to fix in 3 months, but ended up being the trivial oneline check we assumed it would be. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
1 reply 1 retweet 12 likes -
You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times.
3 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
Sometimes mistakes are made. When I had to deal with PSIRT, I was always interested in solutions from reporters. But then, I can cite many examples where the fix appeared trivial and was not - at least, to do it correctly.
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
You don't see the problem with "just give PSIRT as much time as they like", while the users sit there vulnerable?
6 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
Attempting to force a single approach on every situation is a disservice. We have to do better than that. We must. Our users depend upon our knowledge to protect them
1 reply 0 retweets 0 likes
Absolutely disagree, this is basically "we must balance the needs of the vendors with the needs of the users". Is it so unreasonable a position to say, "I don't particularly care about the needs of the vendors"?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.