I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
Replying to @mattaustin @taviso
IMHE, PSIRT MUST always respond and stay engaged. But, arbitrary fix periods fail to take into account the vast range of fix complexities from 1 line of code to a complete redesign. Therein lies the challenge: all fixes are not equal and cannot be treated as such
1 reply 0 retweets 3 likes -
Replying to @BrkSchoenfield @mattaustin
Two things, that's a convenient excuse ("You just don't understand how complex it is", and then the patch is trivial and obvious). Secondly, you can fix your software whenever you like, that should not delay warning the user base about the danger they're exposed to.
4 replies 1 retweet 11 likes -
Here's an excellent example, Microsoft literally told customers this bug was too complex to fix in 3 months, but ended up being the trivial oneline check we assumed it would be. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
1 reply 1 retweet 12 likes -
You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times.
3 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
Sometimes mistakes are made. When I had to deal with PSIRT, I was always interested in solutions from reporters. But then, I can cite many examples where the fix appeared trivial and was not - at least, to do it correctly.
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
You don't see the problem with "just give PSIRT as much time as they like", while the users sit there vulnerable?
6 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
“Users who lose”? The vast majority of users haven’t the sophistication to understand their risks, much less address them (I mean, the connected 3.5B people)
1 reply 0 retweets 0 likes
I don't have the mechanical sophistication to understand any design flaws in a carburetor. Is that a good reason to not send me a vehicle recall notice?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.