[sudhirj]

Security researchers have to assume that if they've found a vulnerability, it's only a matter of time before the evil people will find it as well - that is if they haven't found it already.

That's why all disclosures come with window - if they don't, the companies aren't under any pressure to update their systems, the exploit start being used in the wild, etc. The window is not ideal, but it is better than no window.

And there isn't much point arguing over 30 vs 90 vs 120 vs 365 days. 90 is reasonable, enough for even the largest mainstream software companies to issue a patch release.

[Twisell]

Still make no sense, I agree the window is a good policy to force lazy vendors to act as they should.

But what’s the point of reducing the window for nice vendors who quickly delivered a patch?

This is totally counter productive. In order to incentivize vendors to deliver patches more and more quickly, good actors should profits from that extra time to secure their user base. In a ideal world that might even permit to reduce the windows in the futur when everyone behave well.

This is just jerking around and sending bad signal unless of course that anticipated disclosure date was decided together with the vendor.

[jrockway]

I think patching is firmly in your hands now, and this data may help you choose to upgrade if you were holding off for some reason. Imagine your favorite iOS game was broken by the release that fixes this, so you've been ignoring the update. Now that you know your phone can be bricked by a malicious text message, you may decide "I guess I won't be playing that game for a while" and upgrade. The point is, pretty much everyone that applies every update (which is automatic) has the update now. The last few stragglers are probably waiting for information exactly like this. Now they have it.

[mikeash]

The patch itself reveals the vulnerability. Attackers analyze these things to see what they’ve fixed. If you release a patch but don’t announce the vulnerability that was patched, then you’re just hiding it from good guys who don’t have time to dig through the patch.

[jonas21]

I wouldn't be terribly surprised if the vendor asked for it to be disclosed late in the afternoon before a long holiday weekend (in the US) with the hope that mainstream press outlets would not notice.

[zedgerman]

> unless of course that anticipated disclosure date was decided together with the vendor

Does anybody know if it was? How does Project Zero make these decisions? Do they consider the install base already patched?

[pixl97]

Your incentive line in no way matches reality. In the past every vendor that is given an unlimited open timeline on patching has not. This includes Microsoft, Apple, Oracle and most of the other large vendors. Most of them are better at patching, but this is mostly because of the risk at of someone zero daying the patch and destroying the userbase.

Security is not an ideal world, in fact I would say it is the opposite.

[inlined]

Microsoft (employees) has repeatedly argued that 90d can be unreasonable for Windows due to the development and testing cycle, which also has to align with “patch Tuesday”. I haven’t heard the complaints recently so maybe they’ve streamlined part of the process.

[blackflame7000]

Windows 10 might be the largest enterprise codebase at over 50 million lines of code. It probably takes 30 days alone just to browse to the file that has the bug