I'd be up for "gradual disclosure" after 90 days. Something that gives some kinda hint as to the storm ahead but doesn't hand out a pre-built bunch of stuff the script-kiddies can fuck your business over with.
We were pretty fucking good at security on our platform (Windows and Linux), but if you've no idea something like this is coming down the pipe, it's hard to mitigate once TO and pals decide to release working exploits.
I think you must be talking about CVE-2010-0232, it wasn't 90 days, it was more like 180. This was at a time when Microsoft refused to release kernel patches outside of service packs. I begged Microsoft at multiple in-person meetings at Redmond to reconsider and patch, they simply refused and said there were would be repercussions if I disobeyed.
After four months of negotiations, I told that I'm going to publish it whether a patch was available or not. This didn't have the effect I had hoped, they started threatening me instead. They called me and told me my career would be destroyed. In one particularly memorable call they told me that their PR and legal department only had two settings, "off and destroy" and (in a rather menacing tone) that they would "air my dirty laundry in public". I still don't know what that means.
I was shaken, but told them I'm still going ahead. They responded by calling everyone they knew at my employer demanding I was terminated.
There was a trivial mitigation, just disabling a very rarely used feature (vdm support for 16 bit applications). I made detailed documentation explaining how to enable the mitigation for every supported platform, and even made tutorial videos for Administrators on how to apply and deploy group policy settings.
I sent these detailed instructions to all the usual places that advisories are published. I included a test case so you could verify if the bug affected you and verify the mitigation was correctly deployed. As you can imagine, Microsoft were furious.
I know it's little comfort, but through some hard fought battles over the last decade we have reached the point that Microsoft can reluctantly patch critical kernel security bugs if given around three months notice. They still pull some dirty tricks to this day, you wouldn't believe some of the stories I could tell you, but those are war stories for sharing over beers :)
It sounds like your attackers compromised you with an outdated wordpress installation, then gained privileges with this vulnerability. I'm not sure I agree the blame here lies solely with me, but regardless, I would recommend subscribing to the announce lists for the software you're deploying. You could also monitor the major security lists for advisories related to the software you use. It's high volume and varies in quality, but you can usually identify the advisories that apply to you easily.
That’s mental and very damning. Most defences of MS in this thread lean on goodwill, which is completely lost here. After this behaviour, I’m surprised you even gave them one more day. Acting like they’re in a goddamn Scorsese movie.. shame on those kids. They weren’t raised right.
They should have lost the 90 day privilege to begin with.
1) You should have named names. A jerky company is merely one composed of jerky people and it is those people who should be shamed.
2) Developers need to be unafraid to stick up for their principles and to prioritize their career more than their job, because idiot managers exist. The job might fire you; your love of technology will not. Glad you seemed to stick to your guns; you will be vindicated.
> there were would be repercussions if I disobeyed.
That's absolutely incredible. Not that I don't believe you, more that I find it incredibly stupid of them to think that you could be intimidated like that.
This is a nice little bit of backstory for those that wish to peddle the tale that the Microsoft of today is nothing like the one from before.
Microsoft is one of many companies that did things like that in the past (and some still try). This abusive behavior in the past is why many groups have strict release policies after some amount of time, and even why some people will drop anonymous zero days. You cannot trust these companies to do the right thing. Time and time again they have gone as far to attempt to make security research illegal.
Yeah, like project zero forcing Microsoft’s hand to be more responsible, for example. Tavis doing this now is what paved the way for the next Tavis who comes along, who will now be able tonget issues fixed without threat of their lives being ruined by a megacorp.
>> Something that gives some kinda hint as to the storm ahead but doesn't hand out a pre-built bunch of stuff the script-kiddies can fuck your business over with.
That's what the author already gave on day zero. Why does there need to be more extensions, gradients, and timelines for a trillion dollar market cap company's core product?
> Something that gives some kinda hint as to the storm ahead but doesn't hand out a pre-built bunch of stuff the script-kiddies can fuck your business over with.
I am not an expert, but an argument I've heard before is that this is worse, because a "hint" that describes the impact in even broad terms has a good chance of giving attackers enough a clue to figure out what the issue is. Meanwhile it will not contain a patch or detailed mitigation steps (because that would be too specific) so even fully informed administrators will be left helpless until whenever "full disclosure" happens.
We were pretty fucking good at security on our platform (Windows and Linux), but if you've no idea something like this is coming down the pipe, it's hard to mitigate once TO and pals decide to release working exploits.