|
@itswillis | |||||
|
At Google Project Zero, the team spends a *lot* of time discussing and evaluating vulnerability disclosure policies and their consequences. It's a complex and controversial topic!
Here's P0's policy changes for 2020 (with our rationale for the changes):
googleprojectzero.blogspot.com/2020/01/policy…
|
||||||
|
||||||
|
Dan Gorman
@FF_Freak
|
7. sij |
|
(read the review yourself!) Faster patch development and less vendor confusion on disclosure via standardized time-line, still no mention if P0 users own pets (or tamagatchis) in annual review. Still amazing folks and I appreciate their work :)
|
||
|
|
||
|
HackingPheasant
@HackingPheasant
|
7. sij |
|
Seems like some good changes!
|
||
|
|
||
|
Erik Gomez
@Contains_ENG
|
8. sij |
|
If a patch is released in 20 days, but the vendor chooses to offer details in the release notes, customers may not patch.
An assumption is being made in that customers deploy all patches and then find out later they aren't vulnerable. I don't think it's the right premise.
|
||
|
|
||
|
mugundhan
@mugundhanbalaji
|
8. sij |
|
I don't know why many ppl, don't noticed this. 👍 pic.twitter.com/OQQ7MOVpMe
|
||
|
|
||
|
eric doerr
@edoerr
|
9. sij |
|
I appreciate the transparency on approach, and the multi year partnership your team had provided. Thanks for all you do Tim and the rest of GPZ!
|
||
|
|
||