I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
-
-
Replying to @mattaustin @taviso
IMHE, PSIRT MUST always respond and stay engaged. But, arbitrary fix periods fail to take into account the vast range of fix complexities from 1 line of code to a complete redesign. Therein lies the challenge: all fixes are not equal and cannot be treated as such
1 reply 0 retweets 3 likes -
Replying to @BrkSchoenfield @mattaustin
Two things, that's a convenient excuse ("You just don't understand how complex it is", and then the patch is trivial and obvious). Secondly, you can fix your software whenever you like, that should not delay warning the user base about the danger they're exposed to.
4 replies 1 retweet 11 likes -
Replying to @taviso @mattaustin
The typical case is that reporter and vendor have information that no one else has. Too often, required preconditions are privileged, tortured, or artificial. Hence announcement does not give users useful info; in fact, FUD
1 reply 0 retweets 1 like -
Replying to @BrkSchoenfield @mattaustin
Think about what you're saying. Your position is effectively "when we lack data, we must favor the vendor", why? This is why I keep saying "convenient". Neither of us can say what attackers are doing with the active trade in exploits, but "probs nothing" is pretty optimistic, no?
2 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
I didn’t say that. I said that we MUST analyze before committing to a course of action. Which implies “work together”. Is that so hard?
1 reply 0 retweets 0 likes
Yes, because "work together" is a euphemism for "give the vendor what they want", no? Why don't you spell out "working together" so that I understand.
-
-
and Tavis
0 replies 0 retweets 3 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.