Two things, that's a convenient excuse ("You just don't understand how complex it is", and then the patch is trivial and obvious). Secondly, you can fix your software whenever you like, that should not delay warning the user base about the danger they're exposed to.
-
-
Here's an excellent example, Microsoft literally told customers this bug was too complex to fix in 3 months, but ended up being the trivial oneline check we assumed it would be. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
1 reply 1 retweet 12 likes -
You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times.
3 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
A single example of a botched fix proves nothing. Sit on the other side contending with a report that is a symptom of a bigger design issue which will take 18 months to truly fix. That 90 day clock ends with a zero day about which user can do nothing. Not pretty
1 reply 0 retweets 2 likes -
Replying to @BrkSchoenfield @mattaustin
It proves plenty, it proves that vendors are willing to pull out any excuse to not fix vulnerabilities in a timely manner. I've been on both sides of the disclosure process, and see good reason to not just give vendors whatever they ask for.
2 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
That’s silly, “vendors”. Have you worked PSIRT for an honourable company? Do it for to see how tricky it can be. There are vendors I wouldn’t work for, ever (dishonest). And vendors who try really hard. Prioritizing isn’t easy, Tavis, it’s bloody difficult.
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
Of course I have. The vendor in this case is Microsoft, are they honourable? (Haha, your bio says IOActive, so I assume you're a Microsoft cheerleader
)2 replies 0 retweets 3 likes -
Replying to @taviso @mattaustin
we can learn a lot about the state of appsec ‘art’ from Microsoft. Far from perfect, true. Maddening sometimes. It’s that “state of art” where I want to put my energy cuz basically, we’re all beginners. My 20 years doesn’t make a “mature practice”.
1 reply 0 retweets 1 like -
Replying to @BrkSchoenfield @mattaustin
Remember to take a breath between gulps of that Kool-Aid, I don't want you to drown!
5 replies 0 retweets 4 likes -
Replying to @taviso @mattaustin
At the same time, PSIRT need to deliver actionable risk analysis in context for users. Both side are at fault in this. Stop picking sides! It doesn’t help.
1 reply 0 retweets 0 likes
It helps plenty, not all sides are equal. I think the multinational trillion dollar corporations can look after their own interests.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.