Sandboxescaper did research, just like many other people (including you, @JGamblin, you have that word in your bio). Research/hacking != being a criminal. Just because someone didn't do things your way it doesn't mean that research wasn't done. Words have meanings.
-
-
*DISMISSING* the person's work as research is what's bothering me. That's the only thing I'm talking about. Research is important and so is knowledge sharing, this is what moves everything forward.
1 reply 0 retweets 2 likes -
This person’s behavior is closer to “vengeful mercenary” than security researcher. They didn’t get paid for their original work, so they took it out on the company. It’s not dismissing their abilities - it’s differentiating them from other security researchers.
2 replies 0 retweets 0 likes -
Replying to @securingdev @0xAmit and
When the company shows absolutely no interest in vuln reports, there is nothing else to do. Public disclosure got the 2 bugs “fixed”, didn’t they?
1 reply 0 retweets 0 likes -
Replying to @enigma0x3 @securingdev and
How long were people at risk between public disclosure and fixing the bug?
3 replies 0 retweets 0 likes -
Replying to @JGamblin @securingdev and
If there are concerns about disclosing a vulnerability publicly due to lack of vendor response, we are backtracking. https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html?m=1 … and https://www.us-cert.gov/vulnerability-disclosure-policy ….
2 replies 0 retweets 3 likes -
Replying to @enigma0x3 @securingdev and
As someone who has reported bugs to Google that project zero FAQ is definitely one-sided. I have been stalled, told it wasn't a bug, asked why I was doing the research, etc, etc.
1 reply 0 retweets 0 likes -
Replying to @JGamblin @securingdev and
What about CERT? They do half of the time GPZ does. I guess I’m saying you have to draw a line, and doing so doesn’t make someone less of a researcher than others.
1 reply 0 retweets 1 like -
Replying to @enigma0x3 @securingdev and
Has the CISA ever dropped anything? I only have experience working with Google.
1 reply 0 retweets 0 likes -
Replying to @JGamblin @securingdev and
Yeah: https://www.kb.cert.org/vuls/id/519137/
@wdormann might have more insight.1 reply 0 retweets 0 likes
Yeah, CERT will publish without the vendor's blessing in a number of cases. Including: - Vendor isn't responsive (and we know they received the info) - Vendor doesn't think it's a vul - Vendor isn't going to fix it - Too much time has elapsed CERT 45 day is "soft", GPZ 90 hard.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.