Or, maybe not. How is this ethical? Disclosing a vuln not known to be in the wild while a patch is being developed from one of the most mature security orgs in the world...@msftsecresponse - forcing a bad patch due to an arbitrary disclosure policy could cost business millions
-
-
Replying to @cnoanalysis @GossiTheDog and
I do worry about the seemingly escalating rivalry between Microsoft and Google security teams.
6 replies 2 retweets 27 likes -
Replying to @hacks4pancakes @cnoanalysis and
I don't understand where these ideas come from, do you think we're saying "let's make their products safer, that will teach those jerks a lesson?".
3 replies 0 retweets 21 likes -
Replying to @taviso @cnoanalysis and
It’s merely human nature that friendly competition between big players’ analysts may unintentionally draw attention away from other products.
1 reply 0 retweets 1 like -
Replying to @hacks4pancakes @cnoanalysis and
I sincerely doubt you could find anyone at Microsoft, Google, Apple, Mozilla, anywhere that will say "we don't like getting bug reports". Do you argue that they're lying, and secretly think they're mean?
1 reply 0 retweets 7 likes -
Replying to @taviso @cnoanalysis and
That’s not what I said, at all. You don’t have to be resentful about getting vulnerability reports to want to outdo other teams performance.
2 replies 0 retweets 7 likes -
Replying to @hacks4pancakes @cnoanalysis and
I guess I don't understand what you're saying, you said there is a worrying rivalry, but as far as I know we all want the same thing. We help Microsoft, Microsoft helps us, we're all on the same side?
2 replies 0 retweets 7 likes -
Replying to @taviso @cnoanalysis and
I’m saying: That’s great, as long as your analysts are staying civil and not unintentionally trying to outdo one another at the expense of research into other products. From the outside it looks like you’re gradually getting more competitive.
1 reply 0 retweets 7 likes -
Replying to @hacks4pancakes @cnoanalysis and
What does "competitive" mean in this context, you mean trying to make the safest products? I guess, I'm trying to understand what is "worrying", I'd be excited if we both keep upping our game?
2 replies 0 retweets 4 likes -
Replying to @taviso @cnoanalysis and
Every org has only so many vulnerability researchers on staff, and only so many hours to dedicate towards research. I hope Microsoft’s team is expending a sensible effort analyzing critical stuff in their own products this week, and not turning too much attention to Google.
2 replies 0 retweets 9 likes
If Microsoft spends too much time making competitors products safer that their own products were unsafe, wouldn't we want to make their products safer? I think we both know our jobs and how to balance this stuff, do you have any stats to suggest the balance is wrong?
-
-
Replying to @taviso @hacks4pancakes and
It's very off-base to claim they're doing this to hurt Microsoft when Google often misses the Project Zero deadlines themselves and has the bugs disclosed without a patch shipping for their own products... it's not as if the policy is exclusive to Microsoft.
2 replies 0 retweets 2 likes -
Replying to @CopperheadOS @taviso and
Doing it to more than one makes them consistent, not right. No one ever said they were exclusively applying.
1 reply 0 retweets 1 like - 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.