Re: disclosure policy In my 20 or so years in security, disclosure policy has been my single biggest influence on vendor security efforts. IMHO The disclosure debate is about how much influence external parties should have on a vendor's efforts and not whether it is effective.
-
-
Replying to @berendjanwever
A 0day policy would have even more effect on vendors, yet harm users. At any point in time, it's not just the effect on vendors but also the end effect on users that matters, if security is the end goal.
1 reply 0 retweets 1 like -
Replying to @lazytyped @berendjanwever
Dude, you're making it really hard to avoid having a disclosure debate with you. What you call "0day policy" others call full disclosure, is that really a discussion you want to get into?
1 reply 0 retweets 0 likes -
Replying to @taviso @berendjanwever
No, I know where we align and where we don't, we can save the twitterverse from that :) just leaving a reasonable doubt from the dev perspective in a conversation that is usually security-researchers dominated.
2 replies 0 retweets 0 likes -
Replying to @lazytyped @berendjanwever
I think everyone is clear that vendors don't like full disclosure
1 reply 0 retweets 0 likes -
Replying to @taviso @berendjanwever
That was hardly something I wanted to even touch on. I dislike some of the exasperated hero narrative, as you know, and that seems to be the necessary monster to create to build it, so I'd rather pass on this :)
2 replies 0 retweets 0 likes -
Replying to @lazytyped @berendjanwever
I don't really know what that means, but I don't like the publicly traded company doesn't need any incentives to do the right thing narrative.
1 reply 0 retweets 1 like -
Replying to @taviso @berendjanwever
I'm not against disclosure, if that is the question. Actually, it helps devs to make a case for investments. I dislike when the big picture of all the moving parts gets lost in favour of "it's just two lines of code, how hard is that, vendor must be evil or incompetent"
2 replies 0 retweets 0 likes
It doesn't get lost, the cost of those moving parts isn't a universal physical constant- we can make them more efficient, but that costs money. Why do that without an incentive?
-
-
Replying to @taviso @berendjanwever
By all means keep the incentive, just allow me to evaluate its weight while I try to improve the situation, rather than asking for it to improve :)
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.