I feel more like companies "worried" about disclosure to governments in 24 hours worry more about needing to fix things fast and maybe hire more people to do it than from security concerns issues.
I feel more like companies "worried" about disclosure to governments in 24 hours are "worried" less about the 24 hour and more about the disclose part.
Their preferred outcome would be mandatory disclosure within infinity hours.
This is a very simplistic take. There are CVEs and then there are CVEs. Some may take months to be properly fixed, no matter how many engineer-hours you put on them (e.g. the entire side-channel attacks saga). And that's not even taking into account the time required to alert different vendors (think about all the different linux distributions, upstream, big companies, etc...) and coordinate adequate steps.
None of which matters if it is active exploit, which not only the government but users fo the software should be made aware of even if no patch is avalible yet, this will allow them to make the choice to shutdown the system, apply network level or other security measure, increase monitoring or many many many many other things they would be unable to do if software vendors keep it hidden for months while they choose what is the best course.
Don't you think governments need to know if their software has a known actively exploited vulnerability that exposes their private data, especially if you are going to take months to fix it? Or are you saying it is fine to stay silent if you notice Russians are using an exploit reading private user data and it will take months for you to fix it?
Also, there are governments and then there are governments. I would rather have a company keep zero-day a secret than disclose it to government run by assholes such as Victor Orban or Emmanuel Macron.
blitzar|2 years ago
Their preferred outcome would be mandatory disclosure within infinity hours.
develatio|2 years ago
phpisthebest|2 years ago
I am fundamentally a full disclosure supporter.
Jensson|2 years ago
Detrytus|2 years ago
adql|2 years ago
unmole|2 years ago
I really hope you don't work in software.