2020 Nomination for Lamest Vendor Response
Open Source Security, Inc – grsecurity/PaX
It’s a generally accepted wisdom, that the hardest part in the design, implementation and assessment of exploit mitigations is arguing with Spender. When you plan to step into this realm, where the space-time of threat models sparks with maddening frequencies, be prepared to face opponents who live and breathe this battleground. Consider yourself lucky if it’ll be just the PaX Team patiently explaining to you why you are stupid, and you don’t end up 168 messages deep in a thread contemplating returning to PHP development! In fact, the particular submission we got this year pointed to a flame that was so vague, that neither we have a clue about who was wrong, nor about what. So instead of highlighting this particular incident, we decided to commulate the cries of everyone who ever got a harsh response from the pioneers of OS hardenings. Hear our comforting words: You may have been right (although it’s unlikely).