[stavros]

If the vulnerability can't be fixed within the week, maybe the company should be SOL. This will incentivize companies to build their software better, as they'll know that any vulnerability that is hard to fix will mean consequences.

Maybe the mitigation is for the company to take its service down while it works on the problem. Again, a good incentive to avoid that in the first place. Also an incentive to not waste any time after a report comes in, to see and act on it immediately, etc.

At some point, we have to balance customer risk from disclosing immediately with companies sitting on vulnerabilities for months, vulnerabilities that may be actively exploited.

[dijit]

I hear what you're saying and I agree, but it's perhaps too black and white.

Let's take one of the most disastrous bugs in recent history: meltdown.

Speculative execution attacks inside the CPU. This required (in Paul Turners words): putting a warehouse of trampolines around an overly energetic 7-year old.

This, understandably took a lot of time, both for microcode and OS vendors.. it took even longer to fix it in silicone.

Not everyone is running SaaS that can deploy silently, or runs a patch cadence that can be triggered in minutes.

I work in AAA games and I'm biased, we have to pass special certifications to release patches, if your publisher has good relations, waiting for CERT by itself (after you have a validated fix) is 2 weeks.

[holowoodman]

Spectre/Meltdown is the perfect example of a vendor, Intel and AMD, deflecting blame onto the OS and software producers, successfully avoiding a recall, avoiding refunds for decreased performance and avoiding most of the blame.

What actually should have happened there is a full recall of all affected hardware. Microcode fixes and payments for lost performance in the mean time, until the new hardware arrives.

Meltdown was a desaster, but not only because the bugs themselves were bad. But also especially because we let Intel and AMD get away scott free.

[chii]

There is no world in which a recall (and/or a refund) is ever possible.

Until it is demonstrated that such flaws are a life and death fault, no regulation is possible for such flaws (unlike cars - which do have such recalls for faults that have life and death implications).

[holowoodman]

In the world of physical goods, that is totally normal. Only software is different. And maybe the US.

[precommunicator]

> waiting for CERT by itself (after you have a validated fix) is 2 weeks

If the industry practice would be few days to disclosure just maybe those practices might change or maybe there would be a (extra paid) option to skip the line for urgent stuff.

[worthless-trash]

And when its an OS company and the test suites take a week to run (really) ?

Dev time + test time + upload to cdn , is often longer than a week.

[stavros]

You know, airlines also had a ton of excuses for not making air travel so safe, it's expensive, takes a while, do you know how long these things take, etc.

Still, they did it, because we decided safety is important to us.

[worthless-trash]

Airlines also get to control how equipment is used and have clear controlled deployments. Os vendors do not.