Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The repro was a crash, which by itself, is not an exploit and it was reported against a beta software that is not deployed widely. There is no end-user installable silverlight 5 plugin and in fact a developer would be breaking Silverlight 5 license if he put a Silverlight 5 app on a publicly accessible web page (http://drc.ideablade.com/xwiki/bin/view/Documentation/code-s..., see "go live" terms).

At the risk of generalizing a bit, what bothers me about your comments specifically and security people in general, is that once something gets labeled with "security issue" label it apparently becomes a black-and-white issue (and I apologize to security people who don't do that).

WebGL shouldn't be implemented. Reporting non-exploit crash in software that is not available except to developers that don't run other people's code gets put (implicitly) into the same bucket as 0-day exploit for widely deployed software.

As a security person you know damn well that not every crash report deserves following security disclosure protocol, especially given that addressable target is effectively null in this case. Chrome's security guidelines explicitly spell out a difference between a crash and a security bug: http://www.chromium.org/Home/chromium-security/reporting-sec... and they don't consider every crash a security issue http://www.chromium.org/for-testers/bug-reporting-guidelines...

The severity of problem exposed is nowhere close to what security disclosure protocols are designed for i.e. it's not an exploit.

But you're content with labeling it a "security flaw" and not doing any further analysis of severity or impact and your condemnation of that particular bug report is based on this binary mislabeling.



You wrote "The only venue that Microsoft provides to give feedback and bug reports is their connect website." That was simply, overtly, directly, incontrovertably false.

Now, because you are a message board geek, instead of saying "oh, interesting, I didn't know that, thanks for letting me know", you've given me 6 grafs of random stuff about security people, black-and-white, you-didn't-even-read-the-report, 0-day-not-crash-whatever. I don't care. You were wrong, that wasn't the way to report a security issue. It's either a security issue --- which your original argument depends on it being --- or it's not. If it's a security issue, posting it on a public bug tracking server was the wrong call.

Glad to clear that up for you. Feel free to the last word.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: