I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
Tavis & Matt are right. Forcing fixes does work. For them. Things that can’t be fixed w out breaking other functionality require extra time & care, but it can be done in less time than that. Dropping 0day reprioritizes internal teams’ focus tho, so it’s not w out consequences.
-
Internal teams can respond to that reprioritization & additional work by adding resources instead of shooting the messengers with the whole “responsible” guilting language.
- 2 more replies
New conversation -
-
-
We have tons of data showing that every vulnerability is not equally valuable to attackers. The vast majority reported are never exploited. There exist a rather small minority that widely exploited against general users.
-
That is nonsense, we have very limited visibility into what attackers are doing. It's a very vendor-centric position to claim that because we cannot see what attackers are doing, we must assume that they're not doing anything. Then what are they doing with the exploits they buy?
End of conversation
New conversation -
-
-
At the same time, PSIRT need to deliver actionable risk analysis in context for users. Both side are at fault in this. Stop picking sides! It doesn’t help.
-
It helps plenty, not all sides are equal. I think the multinational trillion dollar corporations can look after their own interests.
End of conversation
New conversation -
-
-
Let me turn this around to challenge researchers to better qualify reports! I’ve seen SO MANY inflated CVSS. (Likewise, their are vendors who routinely deflate) Instead of demonizing vendors, what can you control? The quality of your reports. That’d help.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Know the difference between design critique and issues which are very likely to get compromised. These are often not the same. Treating all reports as likely exploits is killing us; PSIRT & patchers are overwhelmed. Research pressure is dysfunctional
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

)