Did you contact ZDI ?

[ghost]

I think ZDI would buy this bug if you submitted it to them.

[lilyanatia]

from ZDI's site:

If a vendor response is received within the timeframe outlined above, ZDI will allow the vendor 4-months (120 days) to address the vulnerability with a security patch or other corrective measure as appropriate.

from the readme in this repository:

The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:

1. Wait half a year until a vulnerability is patched is considered fine.

while one third of a year is less than half a year, it's still way too long for a vulnerability like this to not be fixed.

[mike-bailey]

That's a maximum though. You can still (some would argue this isn't responsible but it's better than full) responsibly disclose according to your own "I'll give them 90 days or see if they at least make progress on it" policy without going straight to scorched earth. This person failed to do that and instead took the stance that, despite not actually being addressed by their arguments, would get their arguments the most clicks (immediate release, which they don't really seem to justify in the README). There's plenty of infosec people who aren't like the described show-offs, who ironically probably now have to work weekends to fix this shit because it's on a harder clock. ~Bit of a morally bankrupt move~, harsh, editing that to: bit lazy.

EDIT: Sounds like ZDI did get contacted, in which case that's a bit different and I do sympathize

[mike-bailey]

Curious as to the arguments of anyone downvoting.

[lilyanatia]

There's plenty of infosec people who aren't like described, who ironically probably now have to work weekends to fix this shit because it's on a harder clock.

if they wouldn't be working weekends to fix it anyway with "responsible disclosure", they're part of the problem.

[mike-bailey]

Orrrr they just value their work/life separation. There's a world beyond vulnerability mitigation.

[lemmabit]

if they wouldn't be working weekends to fix it anyway with "responsible disclosure", they're part of the problem.

Yes, let's blame the workers for working normal hours.

[MorteNoir1]

@viccon I did. @hotaru2k3 has answered exactly as I would.

[mike-bailey]

@MorteNoir1 Simply for context, how long before this was posted?

[niklasb]

Currently, ZDI takes about 2 months to review hypervisor-related submissions. In the case of VirtualBox, Oracle has a 3 month patch cycle but usually need about 1-2 month to fix a bug first, so the expected end-to-end time from report to disclosure is ~5 months. ZDI would 100% buy this bug, but probably for a rather low price -- I would guess 3-6k USD, while it would have been worth ~25k at their flagship Pwn2Own contest. I can understand @MorteNoir1's frustration.

[mike-bailey]

(I should note my earlier point was pretty much hinges on them not immediately dropping the vuln, so I’d they did wait but by their own policy, I have significantly less concern with the situation)

I do sympathize with the shit timeline don’t get me wrong