tag:blogger.com,1999:blog-4838136820032157985.post3760999338647895466..comments2024-03-28T00:10:44.027-07:00Comments on Project Zero: Adventures in vulnerability reportingUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4838136820032157985.post-58060913748050721042018-08-15T09:35:40.735-07:002018-08-15T09:35:40.735-07:00So Project Zero reports a vulnerability to the ven...So Project Zero reports a vulnerability to the vendor and doesn't request a CVE-ID if the vendor doesn't want one? <br /><br />The example about the SMS exploit is really interesting. People always think there's isn't any potential for harm if they don't interact anything. Wondering if a similar thing is happening/possible through voicemail, maybe visual voicemail.<br /><br />Vendors probably fear the entire process..but still need to to be more transparent about these type things so the average person isn't walking around thinking their phone is magical. If everyone was more realistic about all this companies wouldn't worry their stock price/sales will be impacted and consumers wouldn't be as careless if they weren't mislead in such an extremely unethical way. <br /><br />I was also wondering if there's any way to request that someone from Project Zero look into something unusual? Sort of related to code signing, ocsp requests, javascript, and some other persistence features (I think). Chase Danielhttps://www.blogger.com/profile/15134311381444961313noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-53251538024903035852018-08-02T12:58:03.811-07:002018-08-02T12:58:03.811-07:00Admitting that one's product can have vulnerab...Admitting that one's product can have vulnerabilities seems to be the biggest blocker to me.Anonymousnoreply@blogger.com