Re: disclosure policy In my 20 or so years in security, disclosure policy has been my single biggest influence on vendor security efforts. IMHO The disclosure debate is about how much influence external parties should have on a vendor's efforts and not whether it is effective.
-
-
Replying to @berendjanwever
A 0day policy would have even more effect on vendors, yet harm users. At any point in time, it's not just the effect on vendors but also the end effect on users that matters, if security is the end goal.
1 reply 0 retweets 1 like -
Replying to @lazytyped @berendjanwever
Dude, you're making it really hard to avoid having a disclosure debate with you. What you call "0day policy" others call full disclosure, is that really a discussion you want to get into?
1 reply 0 retweets 0 likes -
Replying to @taviso @berendjanwever
No, I know where we align and where we don't, we can save the twitterverse from that :) just leaving a reasonable doubt from the dev perspective in a conversation that is usually security-researchers dominated.
2 replies 0 retweets 0 likes -
Replying to @lazytyped @berendjanwever
I think everyone is clear that vendors don't like full disclosure
1 reply 0 retweets 0 likes -
Replying to @taviso @berendjanwever
That was hardly something I wanted to even touch on. I dislike some of the exasperated hero narrative, as you know, and that seems to be the necessary monster to create to build it, so I'd rather pass on this :)
2 replies 0 retweets 0 likes -
Replying to @lazytyped @berendjanwever
I don't really know what that means, but I don't like the publicly traded company doesn't need any incentives to do the right thing narrative.
1 reply 0 retweets 1 like -
Replying to @taviso @berendjanwever
I'm not against disclosure, if that is the question. Actually, it helps devs to make a case for investments. I dislike when the big picture of all the moving parts gets lost in favour of "it's just two lines of code, how hard is that, vendor must be evil or incompetent"
2 replies 0 retweets 0 likes -
We are shaped by our own experience. You deal a lot with external vendors, I prefer to focus on doing the right thing from the inside (engineering). I think we outline the good and bad of both.
1 reply 0 retweets 0 likes
Hmmm, but isn't your argument that we should just accept the amount of time that patch qualification takes based on resources assigned by some executive bean counter, and not try to influence that?
-
-
Replying to @taviso @berendjanwever
Not at all. My argument is that getting to the point where patches are released very fast doesn't mean that we have solved the patching problem (most likely just shifted it to users) , so "time to release" shouldn't be our only metric
1 reply 0 retweets 0 likes -
Replying to @lazytyped @berendjanwever
You can use any metrics you want, but how long you leave your users vulnerable seems like an important one.
1 reply 0 retweets 1 like - 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.