MSN reporting on Microsoft’s smooth moves on Vulnerability Disclosure features quotes from me and @doublepulsar.com
www.msn.com/en-us/news/i...
I’ve seen the paper. It’s not a jailbreak. It was Defense Oriented Prompting (DOP) - a capability defenders need. My thoughts about the hasty Export Controls that made Anthropic halt access to Fable. If national defense is the goal, this is an own goal against us
www.wsj.com/tech/ai/anth...
More of my thoughts on the public vulnerability disclosure fight Microsoft picked with the researcher Nightmare Eclipse in this piece by @mattkapko.com for @cyberscoop.bsky.social . @andrewmorr.is of @greynoise.io Intelligence shares perspective too.
cyberscoop.com/microsoft-co...
This tshirt I made for Symantec Vulnerability Research, a program predating Google Project Zero by nearly a decade where we’d discover, report, & disclose vulnerabilities we found in other people’s software, is 20 years old.
Still holds true: Don’t hate the Finder, hate the vuln
Cheers 🍻 to the unfinished mission. #l0phtDay
Not that ‘responsible’ disclosure shit again 🙄
No vendor uses that term unless they want to call someone irresponsible.
Even if someone drops 0day, patch & move on. Going after a researcher is a great way to turn 1 bad relationship into many terrible relationships.
Dropping 0day isn’t the worst thing a researcher can do. It’s not ideal, but at least orgs can take steps to mitigate.
Non disclosure is far worse.
What drives researchers toward non disclosure?
Threats from vendors.
Researchers aren’t criminals unless their crime is curiosity.
