Jump to content

How To Do Responsible Disclosure Of Highest Severity Bugs?


Recommended Posts

Till this day I was a little bit hesitant to publish an ESS V9 bug of the utmost imaginable severity here in this forum, but after this 100% real bug hit me once again today, at 00.23 AM, not even sitting in front of my PC, for the at least 21th time since installing ESS V9 over ESS V8 (October 2015, I think), even with the latest ESS V9.0.408, through all versions of V9 without any exception, I can't wait any longer now!!!

 

With "at least the 21st time" I mean "that I noticed it"... Ie. to notice this highly severe bug you must monitor your logs very closely - when you don't log anything, you will never notice what's going on inside of ESS V9 and the moment when some module of ESS V9 is going south...

 

In a separate PM to 'Marcos' I will publish (hopefully one can append images in PM posts...) three screenshots that illustrate the utmost severity of this incredibly nasty bug. And hopefully 'Marcos' will hand over these images faster than light to the ESET developers!!!

 

I'm fully able to reproduce this severe bug at will, thus the ESET developers will be more than able to fix it for sure, and I'm fully able to make the module gone south fully working without restarting the PC. That's the only "good" part of this severe bug, thus I was able to circumvent it always --- ie. after I have found out how to circumvent it, only one thing of the many I tried works... The very bad part of this severe bug is that there are cases, as this one of today, where I absolutely don't know why it has stroke me again!

 

You can be damned sure that this isn't happening on my (in no way) "fancy" PC (*), with its (in no way) "fancy" programs or the (in no way) "instable" 32 GB RAM etc etc etc only, I'm fully convinced that it's happening on other PCs with ESS V9 too, apparently mostly unnoticed. Call it 35 years of programming and computer experience, call it instinct - bet on it!!!

 

Thus, ESET, how to do responsible disclosure of highest severity bugs? Public or private? In this case I would suggest private. (But it would be nice if I could report in another thread that this bug is acknowledged - in the fixing phase - in the release phase.) Silencing me will not fix this severe bug.

 

 

(*= as I already said it: the only program that makes problems on my PC is ESS V9. There are no crashes of programs, sudden restarts, corrupted files / disks or anything bad going on else!!!)

 

[edited 06:45 AM CET: PM is sent!]

Edited by mma64
Link to comment
Share on other sites

  • ESET Insiders
Thus, ESET, how to do responsible disclosure of highest severity bugs? Public or private? In this case I would suggest private.

 

 

I did it via private message as I thought this to be the most ethical way.

Edited by stackz
Link to comment
Share on other sites

I think its safe to state that ver. 9 was "buggy" to say the least. That was my direct observation of it.

 

You should upgrade to ver. 10. Then test with it to determine if the same issue you are commenting on exists.

Link to comment
Share on other sites

@rugk: (your link) '... security-vulnerability-reporting/': it's not a security vulnerability as I understand this term, ie. having found a way to make a program, in this case ESS V9, crash / crash and get elevated privileges (to install whatever I want) / make it unresponsive or unusable (DoS) or something the like. Nothing of this kind. But thanks for the valuable link, I will study it for sure!

 

[itman] I think it's safe to state that ver. 9 was "buggy" to say the least. (...) You should upgrade to ver. 10.

 

ESS V9... Yes, there are quite some bugs, issues and regressions of which I have reported here some already, but - to date - without much success unfortunately. (One reported bug was corrected and don't ask me how this not that little bug could slip through quality control in the first place. But it took a very long time until ESET even looked at it, though this bug wasn't difficult to fix at all! Of course the dreaded "Mysterious" HIPS Duplicates Bug is of a definitely more difficult to catch kind, as Slashrose, itman and I have elaborated extensively. Because it's totally unreproducible safely, you may call it totally unpredictable even, there are phases where this or that duplicate pops up "continuously", and all of a sudden the very same duplicate popup "silences" for quite some time, just to strike back totally unexpected once again... Just today I was hit by a new HIPS duplicates popup, a so called "1st EVER duplicate of an ages old rule"... Yes, I haven't used this specific program for a very long time, but is that a reason to produce a duplicates popup? No, till the arrival of ESS V9! And as itman has mentioned in another post, this bug has slipped into ESS V10 too apparently... As I expected it!)

 

The only reasons I'm "sticking" to ESS V9 are this bug of highest severity (and the HIPS Duplicates Bug), ie. to check if the bug fix(es) work(s), report back success and then: good bye ESS V9, hello ESS V10!

 

Back to the good news: Marcos has responded to my PM and handed my bug description notes over to the ESET developers! I responded already and offered them a download link to inspect some files thoroughly.

Link to comment
Share on other sites

Having nothing heard from ESET since 12/02/2016 and the mentioned probably rather valuable file set still not downloaded from the ESET developers I'm doing yet another PM to them, with a new screenshot, some more infos and a real life video capture from today! This top secret video capture is showing an alarming new behaviour of the HIPS module in interactive mode. Which is a totally different thing than the severe bug mentioned in my starting post! Though the consequences are as bad as of this first one.

 

This new screenshot (PM'd) sheds a new light into the severe bug (see starting post), at least in one aspect of it, ie. the part where the severe bug happens for no obvious reasons, therefore being completely irreproducible. It might be even an up to date not known bad interaction between (at least) Win7 x64 and ESS V9 doing their stuff at the same time!

 

Acting responsible I'm hoping ESET will take these very severe issues serious at last!!!

 

(NB: the new video capture shows the dreaded HIPS Duplicates Bug in full swing too. Yet another still not fixed bug...)

Link to comment
Share on other sites

A life sign from ESET (a PM'd one), "complaining" about mixing different bugs / issues into one thread / PM thread. "Mea culpa" - my fault - sorry for that. The mentioned realtime life video, ~50 minutes long (*), was downloaded by ESET finally - yesterday... The mentioned valuable file set still not touched, someone at ESET thought, this would be another issue. This person was not a developer - for sure! I have explained them now why this file set is very much belonging to this severe bug! Another "complaint" being I would write too much text. That may be the case but certain things can't be expressed in a that much slimmer manner...

 

Describing reproduction procedures must be as precise as possible and actually executing it may take some time. It's quite rare that there exists a super easy "1-2-3-bug-triggered!" reproduction procedure that's at the same time (quite) super fast to execute too as it was the case with my reproduction procedure in the case of the dreaded Hidden Firewall Popup Bug not that many years ago. At least begging to try my "1-2-3-bug-triggered!" procedure on the following day was a success. (In my memories the time between publishing it and ESET finally doing my super easy reproduction procedure has grown to "weeks", funny. But it was a mere day in reality, I have checked this. Bug was acknowledged - as I expected it, I'm fully able to recognize a bug as a bug when I'm seeing one...) How times have changed - now it's lasting an agonizing amount of time until ESET is reacting at all... (Proof? The corrected ESS V9 HIPS rules first time popup GUI bug - after months. A crystal clear bug that slipped through quality control and a certainly not that difficult to fix bug - from developer to developer said. The wrong HIPS log entries (description field) bug (a quite easy one, for sure), no reaction - I've written in my answering PM now they can postpone this one easily, to ESS V10, where I will find it again, with a quite high probability... The HIPS Duplicates Popup Bug - older than a year in the meantime... (A really difficult one to find, the fix may be far easier than finding it. But doing nothing will not fix it. Marcos reported this one as "handed over to the HIPS engineer" - this was months ago. As a developer - and I'm one - I know what I would have done in all this time... Slashrose, itman and I have given ESET quite a lot of information and rules that might trigger this bug. But (PM'd) I'm giving them now my full HIPS rule set, as a "starter kit". Of course only actually using it, in HIPS interactive mode, for some days, on a real PC, will trigger these HIPS duplicate popups, for rules that exist for years. This is the best and only way to capture this bug!)

 

I'm confident all the mentioned issues  are on a good way now and accelerating...

 

 

(*= showing the HIPS Duplicates Bug in all its unpredictable "madness". Because it's intermixed with another alarming new HIPS behaviour it's top secret.)

Edited by mma64
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...