Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I understand exactly why they do it. And it’s jackassery. If Microsoft had not done anything then I’d fully support responsible disclosure. But Microsoft did issue a patch which did fix the originally reported issue. It’s not clear that the second exploit path was called out in the initial project zero report. IMHO the fact that the vendor is responsive and working on the issue means that publishing exploit code puts millions of users at additional risk with no tangible security benefit. And yes, I am a career IT security professional. Project Zero is a good idea in general; in this case disclosure was irresponsible IMO.


The report timeline was listed in the link, with this new variant being reported on September 23rd.

Having disclosure deadlines is the only way to get away from companies taking literal years to provide patches, and the deadlines only matter if they're actually enforced.


They were given 3 months from when the patch was reported to be broken. Not the initial report.

So..


The patch appears to have been fairly trivial to work around.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: