Isn't that like saying we shouldn't talk about COVID-19, because not all humans watch the news? We don't have a perfect system for disseminating information, we have to make do with what we have. 
-
-
Replying to @taviso @bryanriddlespic and
Informing the vendor first seems like the most sane option IMO. Isn’t that the default P0 policy anyway?
1 reply 0 retweets 8 likes -
Replying to @x0rz @bryanriddlespic and
You'll have to explain why it's the most sane option? It won't change the risk to everyone who has already installed it, and puts people who haven't installed it yet at risk...? I think that probably is what P0 would do, doesn't mean it's right.
2 replies 0 retweets 7 likes -
In no other industry have the vendors convinced everyone that product quality information should remain secret
4 replies 21 retweets 69 likes -
Replying to @daveaitel @x0rz and
And then somehow managed to get customers to help fight for less information for consumers... for their own protection. It's really a work of art.
2 replies 2 retweets 26 likes -
And then lobbied govt to make it mandatory practice ! I am in awe.
1 reply 0 retweets 3 likes -
Replying to @daveaitel @taviso and
so several years ago, me and
@TheColonial did a talk at 44con about our experiences with reponsible disclosure. https://www.youtube.com/watch?v=oVev_DvD4D0 … I wont hold it against anyone if they dont bother watching, but, tl;dr, im firmly in the 'no more free bugs' camp now1 reply 1 retweet 1 like -
Replying to @Viss @daveaitel and
and to be specific: i still find stuff, and occasionally report stuff, but only if its a "hey look i can blow up a power plant" or "i can make this mechanical arm decapitate people" levels of fuckery.
1 reply 0 retweets 0 likes -
Replying to @Viss @daveaitel and
"responsibly disclosing", i dont feel, should continue to mean "beg the vendor to care for several months, possibly get to deal with angry lawyers, or be threatened or ignored". I like P0's approach: you get X days to fix it, then we publish. glhf.
2 replies 1 retweet 7 likes -
Replying to @Viss @daveaitel and
I also like the P0 approach, gives a fair warning and X days to patch, then publish no matter what. Now if X=0 I really don’t feel like calling that « responsible » except for minor bugs. If the bug can be weaponized against people, meh, what’s responsible about that?
3 replies 0 retweets 6 likes
Why bother reporting it at all? The only reason would be you believe other people can find and exploit it, correct? Not everyone agrees leaving people exposed when you can warn them about the danger is "responsible", I happen to think that's "irresponsible". 
-
-
Less than 20 years ago, big companies existed and shipped things without the urge for video conferencing software. Now the entire world is put at risk because Zoom is the only solution.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.