On Project Zero’s 90+30 vulnerability disclosure policy changes

  1. A dramatic comparison here would be the difference between Google patching one of their websites. The website is centralized, accessible, likely has a recent codebase, and gets solved once in order to protect all users, so it’s reasonable to assume the patches can be developed, tested, and deployed quickly — and that if this isn’t happening, either a communication failure or vendor ambivalence may be in play.
  2. Now consider a company responsible for a fleet of satellites in the sky, or medical devices implanted on humans. These products are decentralized, very difficult to access, likely have a variety of technologies and aging codebases that are inherently more complicated to patch and regression test. Not only do multiple instances need fixing, but there can also be a safety-critical impact if there is a failure to do so. Sometimes organizations do plan ahead and make this almost as smooth as patching a website, but this is still very much the exception and not the rule.

--

--

founder/chairman/cto @bugcrowd and co-founder of @disclose_io. troubleshooter and troublemaker. 0xEFC513EA

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
caseyjohnellis

caseyjohnellis

founder/chairman/cto @bugcrowd and co-founder of @disclose_io. troubleshooter and troublemaker. 0xEFC513EA