Project Zero just told everyone how to exploit a bug that won't be fixed for a month.
Even if that is (arguably) better than "having no teeth", that doesn't make it a good idea. Perhaps they can find better teeth, a response that doesn't involve helping bad actors when vendors fail to patch quickly.
Blackhats knowing is what makes companies patch the vulnerabilities. Not enough people care about there being an undisclosed vulnerability for the company to expend resources.
Fines for companies that don't patch vulns within 90 days? This would encourage shifting left with security to make it easier to fix flaws so they don't overrun product deadlines.
Yes, this is not simple description of a vulnerability, this is almost ready-to-use exploit.
Ethics aside, what does it mean for Microsoft and ProjectZero from the legal standpoint? Does publishing of an active exploit make either ProjectZero or Microsoft criminally or civilly liable in some way?
If you merely say that you observed a crash in someone else’s software when a certain argument is passed, and that makes you liable for their bug, we are all in big trouble.
Well, there is a difference. First, that certain argument (malformed certificate) was not randomly encountered, it was specifically constructed to trigger the vulnerability (Was reverse-engineering involved? I don't know). Second, this bug report not only discloses the fact that the vulnerability exists, but also provides a working example for any script-kiddie to use as an exploit. Third, the bug was not privately disclosed to software vendor, but was released to the public.
From https://security.stackexchange.com/questions/22973/if-i-find... it seems that would be criminal in UK or Germany, no idea what could've happen in US. On one hand, you have First Amendment, on other hand, there is an EULA.
Even if that is (arguably) better than "having no teeth", that doesn't make it a good idea. Perhaps they can find better teeth, a response that doesn't involve helping bad actors when vendors fail to patch quickly.