[liberationtech] Foxacid payload

[coderman]

On Fri, Jul 18, 2014 at 1:40 AM, Wasa Bee <wasabee18 at gmail.com> wrote:
> if Google start actively looking for bugs, aren't they going to have a
> ranking per vendor every year to incentive "bad vendors" to improve?

you'll be able to read the vendor responses yourself in the Project
Zero blog. two timelines were stated:
- 60 to 90 days for Google discovered issues to be responsibly
resolved (then they publish)
- 7 days for in-the-wild exploits to be resolved (then they publish)

i approve of this timeline, and am anxious to see if NSL's are used to
trump some exploits.
(how would you know? good question :)



> What are the other means they can incentive vendors, without making too much
> of a fuss that users don't loose confidence in web security overall?

carrot:
 "we found this bug in your software this way. you should add this
type of testing to your continuous build and test infrastructure so we
don't have to keep reporting issues like this, and we can all be more
productive!"

stick:
 "when company X in your industry failed to address serious security
concerns, the public noticed, and the hit to their bottom line was
<insert number here>"