@gjacobse said in Palo Alto Networks patches critical buffer overflow bug:
Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating
Palo Alto Networks patches critical buffer overflow bug in its GlobalProtect VPN.
DAN GOODIN - 11/11/2021, 8:30 AMAbout 10,000 enterprise servers running Palo Alto Networks’ GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10.
Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret.
(Click link for remainder of article)
I'm not sure this bolded part can actually be claimed. that's definitely the desired effect, but how can they know that it IS the norm?