lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com) Subject: Microsoft Cries Wolf ( again ) Karl DeBisschop (kdebisschop@...rt.infoplease.com) writes: >> As for the criticism on Microsoft's blasting researchers who poorly >>handle security vulnerabilities, most of it is not valid. >If MS had a better means of reporting the problem, or handling bug >reports, I'd be more sympathetic. > >My only experience with MS bug reporting was this known bug with IE: if >you configure your web server to negotiate delivery of compressed >content, IE will tell the server that it accepts a compressed PDF. It >will then hand off the compressed data stream to acrobat reader, >aparently without decopmresssing or letting acrobat know the content >should be decompressed. > >About a year ago, I tripped over this issue. (I have since found out it >is a known bug - see http://www.sitepoint.com/print/1029). In an effort >to help MS, I spent hours of company time registering to various bug >reporting services on MS sites - and never found one that would accept >my bug report because IE is not a paid product. Not that I wanted any >support - I only wanted to help them out. Yes, you make an excellent point here -- the general support process is horrendous. Unless you've paid for the product, you can't even report a bug most of the time. Many people (myself included) have pushed for a better response to general bug reports. They currently treat nearly every issue as a "Technical Support" request. I can't simply report a bug that I can reliably reproduce, which is a problem. However, the security response process typically removes this barrier -- I have not only been able to submit, but also receive answers to, many security reports on products that I would not receive support for in the more general customer support network. In particular, support for OEM pre-installs is where things differ quite a bit. Odds are, if your product ships with your system, you're basically screwed if trying to seek support for it. However, security is more than happy to deal with such issues. I really wish support would be more catergorized, e.g, major technical issue versus a known bug. >OOTH, if vendors do respond, then radical full disclosure seems to me >unwarranted, and a source of increased risk. For instance, every bug I >have reported to PostgreSQL, Red Hat. Mozilla.org, and Ximian >[Evolution] has been acknowleged and fixed - always within a few months, >usually within days. It's like any relationship -- the way you are >treated reflects the trust you have earned. > >Matt, you make some valid points. But ISTM they hinge on MS being >responsive to bug reports. In my limited experience, they are not. Well, Microsoft's customer support certainly does tend to leave a sour taste in the mouths of most bug reporters. Unless your complaint is a complete showstopper, and you have a license that enables you to receive support directory, you probably will receive no response from Microsoft. Security, on the other hand, is one of the most responsive parts of the company I have seen -- at least initially. When sending a security report to Microsoft, the longest I've had to wait for a reply was just over two days. The reason for even that much delay was that I sent my report in on a Friday night -- at least in Redmond's time zone. ;-) While there have been instances where communications appear to have been "lost", in reality that is just the extreme workload of MSRC showing through. They do track and work with each reporter, but communication does tend to slacken a bit. However, they are responsive to reporters who request the status of tracked issues. In my experience, MSRC really does work dilligently; their attitude seems to be that those who really need information will request it. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
Powered by blists - more mailing lists