Google's Project Zero tweaking Microsoft, because it did fix a bug For once, a Google Project Zero bug report to Microsoft has resulted in a fix without a public spat. Indeed, this fix happened without any public announcement at all. Back in 2014, Project Zero's James Forshaw told Redmond he'd found a Windows Kernel Object Manager bug that permitted a “limited bypass of traverse permissions …
In Canada, at least on my computers, the Flash Player update came in for MSIE before it came in for Google Chrome. The update didn't come a day later, after I sent a complaint email to Google.
However, I've worked in very large companies and usually they can't do anything in less than 2 months.
And MS has it even worse because of the vast number of companies whose products need to be integration tested and potentially modified when MS makes a change.
Witness Kaspersky complaining about how little time MS gave it for integration testing.
It seems a shame that inexperienced non-programmer types with no regard for the organizational complexities of an operating system can reduce reliability for all of us by setting unrealistic deadlines for programming professionals.
If the software maker seems to be ignoring you, formally disclose to your country's CERT. If your country's reports back that it is being ignored and that you should do a full disclosure, then do the full disclosure. Anything less is worse than being an ambulance chasing lawyer. (Ambulance chasing lawyers don't create clients by pushing people under buses.)
"If the software maker seems to be ignoring you, formally disclose to your country's CERT. If your country's reports back that it is being ignored and that you should do a full disclosure, then do the full disclosure."
You assume that disclosure to the software maker doesn't result in a gagging order being filed or hacking charges laid - both have happened.
It happens with software all the time, where by the time a specific bug bubbles up through onto a sprint, it has been coincidentally neutered by another fix or improvement. It can also happen when a developer working on an unrelated ticket stumbles upon the initial problem and fixes it at the same time, legitimately believing that it had never been reported. Obviously not saying that this is definitely what happened here, but let's not feign surprise about something that would happen in a product as big as windows at least daily has indeed happened.
Well that pretty much describes windows update. Here's a font vulnerability fix that breaks outlook.
Seriously though, it is the responsibility of the original developer to create sufficient test case coverage that my fix gets rejected by the build server. Apart from the most egregious introduced bugs, if someone breaks functionality that I wrote, I ask myself:
* Did I adequately name the variable/parameter/method/field/const/enum/class/whatever?
* Did I include a comment where what is being done is obvious but why it's done less so?
* Did it structure my code with single responsibility principles?
If the answer to those is no then I tend to blame myself.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
