12 comments

[ 5.4 ms ] story [ 120 ms ] thread
(comment deleted)
It seems lately every piece of software is getting more and more vulnerabilities, failures, crashes. Microsoft products are exceptionally high in the list.
I don't understand why they wouldn't give a pre-release patch to the bug reporter (especially if it's someone like Google) for them to analyse before doing a final release.

If they were actively working with Project Zero instead of being seemingly silent, this wouldn't happen

This is where FOSS is still winning and will always win. Fixed happen in the open and bad fixes can be called out

I’m not sure why you think it’s the researchers responsibility to verify patches. It would be nice, especially if they’re knowledgeable in the code, but Microsoft have the resources to put someone else in that position too.
It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
[flagged]
You said "Being an unpaid volunteer, I also don't really care about external deadlines. I'll just make the issue and the fix public and people can patch libxslt themselves." But that's what they were going to do anyway if you didn't fix it--they were going to make the issue public. What's the problem?
What’s the expectation for responsible disclosure when it comes to ineffective patches? Does that normally reset the counter to 90 days, or only if the patch was reasonable and in good faith?
Microsoft, why don't you simply use Copilot to fix the vulnerability?
(comment deleted)