Two things, that's a convenient excuse ("You just don't understand how complex it is", and then the patch is trivial and obvious). Secondly, you can fix your software whenever you like, that should not delay warning the user base about the danger they're exposed to.
-
-
Here's an excellent example, Microsoft literally told customers this bug was too complex to fix in 3 months, but ended up being the trivial oneline check we assumed it would be. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
1 reply 1 retweet 12 likes -
You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times.
3 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
A single example of a botched fix proves nothing. Sit on the other side contending with a report that is a symptom of a bigger design issue which will take 18 months to truly fix. That 90 day clock ends with a zero day about which user can do nothing. Not pretty
1 reply 0 retweets 2 likes -
Replying to @BrkSchoenfield @mattaustin
It proves plenty, it proves that vendors are willing to pull out any excuse to not fix vulnerabilities in a timely manner. I've been on both sides of the disclosure process, and see good reason to not just give vendors whatever they ask for.
2 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
That’s silly, “vendors”. Have you worked PSIRT for an honourable company? Do it for to see how tricky it can be. There are vendors I wouldn’t work for, ever (dishonest). And vendors who try really hard. Prioritizing isn’t easy, Tavis, it’s bloody difficult.
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
Of course I have. The vendor in this case is Microsoft, are they honourable? (Haha, your bio says IOActive, so I assume you're a Microsoft cheerleader
)2 replies 0 retweets 3 likes -
Replying to @taviso @mattaustin
we can learn a lot about the state of appsec ‘art’ from Microsoft. Far from perfect, true. Maddening sometimes. It’s that “state of art” where I want to put my energy cuz basically, we’re all beginners. My 20 years doesn’t make a “mature practice”.
1 reply 0 retweets 1 like -
Replying to @BrkSchoenfield @mattaustin
Remember to take a breath between gulps of that Kool-Aid, I don't want you to drown!
5 replies 0 retweets 4 likes -
Replying to @taviso @mattaustin
We have tons of data showing that every vulnerability is not equally valuable to attackers. The vast majority reported are never exploited. There exist a rather small minority that widely exploited against general users.
1 reply 0 retweets 0 likes
That is nonsense, we have very limited visibility into what attackers are doing. It's a very vendor-centric position to claim that because we cannot see what attackers are doing, we must assume that they're not doing anything. Then what are they doing with the exploits they buy?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.