Hacker News new | past | comments | ask | show | jobs | submit login

I find the culture around 90-day disclosure deadline fascinating.

Is it actually reasonable to disclose this just for missing the deadline given that it has already been exploitable for twenty years? I know nothing about security but I just feel so bad for people who have to scramble to fix this legacy system which they probably had nothing to do with. I don't think I have ever seen a good secure system understood, redesigned and reimplemented in less than a quarter. The exploit author himself seems to have spent months on this without coming up with a fix either.




First, you need a hard bright line as a norm. It's the only thing a corporation will understand, and you can see how often they try to abuse or delay it anyway. Disclosing after the deadline is the only thing that gives the deadlines urgency and means that things which are urgent also get handled quickly. If there isn't a working process for handling as serious a vulnerability as this within 90 days, then there probably isn't a working process for handling serious but time-sensitive vulnerabilities within 90 days either. Use it or lose it.

Second, these things are a lot more correlated than you think. Look at Spectre recently: those bugs have been in there in various ways for what, 20+ years? Yet something like 3 different research groups all came across variants of it simultaneously. There are pervasive correlations leading to https://en.wikipedia.org/wiki/Multiple_discovery - people use similar tools like fuzzers, they follow similar research topics and gossip, certain things become 'obvious' to everyone simultaneously, and so on. OP might not think that anyone else is working along similar lines, but how could they know that? How should anyone interested in Spectre have known that there were (at least) that many other groups finding similar problems?


It is very fortunate that it wasn't a zero-day then! I'm not sure if it was a "scramble" since it sounds like from the ticket it was ignored until the deadline got close... although it would be interesting to see the activity on Microsoft's internal bug tracker.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: