rene_mobile’s avatarrene_mobile’s Twitter Archive—№ 5,782

          1. That! I generally don't pitch in on the "responsible PoC disclosure" debate, as I don't actively contribute to the area and rather let @maddiestone @taviso @AndreaBarisani or @Fox0x01 argue (and enjoy learning the arguments). But here is my defender's point of view: 1/ @idl3r/1200223675418468357
            Permalink On twitter.com Twitter logo rene_mobile’s avatar ♻️ 14 Retweets ❤️ 40 Favorites Mood +4 🙂
        1. …in reply to @rene_mobile
          (Further context: I very rarely have a binary opinion on security topics, because - erm - most of the time it's just hard and complicated and a nuanced discussion is better than sticking to one position and claiming it is the only answer. There are no silver bullets.) 2/
          Permalink On twitter.com Twitter logo rene_mobile’s avatar ♻️ 1 Retweets ❤️ 7 Favorites Mood 0
      1. …in reply to @rene_mobile
        So from the defender's side, I have 2 main arguments why releasing full PoCs (after notifying the author/vendor and giving a reasonable time frame for everybody to patch) is helpful: 3/
        Permalink On twitter.com Twitter logo rene_mobile’s avatar ♻️ 3 Retweets ❤️ 4 Favorites Mood +2 🙂
    1. …in reply to @rene_mobile
      1. A full PoC is an optimal test case for anybody to check if that particular bug is still open. Yes, the PoC may not work even though the bug is still there (mitigations, random system changes, etc.). But a crasher is much harder to test with than a deterministic, full PoC. 4/
      Permalink On twitter.com Twitter logo rene_mobile’s avatar ❤️ 4 Favorites Mood +1 🙂
  1. …in reply to @rene_mobile
    I simply don't have the skills right now to develop such PoCs myself when given the abstract bug descriptions, and many developers on the "builder" side don't either. Getting a free unit test is golden, even though - as with all testing - it cannot give complete coverage. 5/
    On twitter.com Twitter logo rene_mobile’s avatar ♻️ 1 Retweets ❤️ 3 Favorites Mood +1 🙂
    1. …in reply to @rene_mobile
      2. As pointed out, a PoC - especially when coming with an in-depth write-up of the techniques - is highly educational in the sense of practical exploitation techniques. Generalizing from a number of them, new mitigations may appear that make the next PoCs harder. 6/
      Permalink On twitter.com Twitter logo rene_mobile’s avatar ♻️ 1 Retweets ❤️ 3 Favorites Mood 0
      1. …in reply to @rene_mobile
        We (hello @i41nbeer @tehjh @againsthimself @kayseesee @5aelo @halvarflake) may fiercely disagree on the relative value of particular mitigations or sandboxing on top of each other (I think of it as layer of defense), but without detailed PoCs, we wouldn't even have the debate. 7/
        Permalink On twitter.com Twitter logo rene_mobile’s avatar ♻️ 1 Retweets ❤️ 6 Favorites Mood 0
        1. …in reply to @rene_mobile
          So from a defender's point of view, full PoC release sometimes makes life more hectic (cough, 7 days ;-) ), but I am highly grateful to teams releasing them and allowing us to improve the code (and yes, sometimes a short disclosure window is the right call). /end
          Permalink On twitter.com Twitter logo rene_mobile’s avatar ♻️ 1 Retweets ❤️ 11 Favorites Mood +6 🙂