This, so much this.
How could #Apple have missed this escalation to their PSIRT, you're asking?
Today, lets talk about "Analyst Fatigue".
Analyst Fatigue is a term to describe a bias which begins to set in after a long period in a type of job where you receive many escalations to triage.
1
9
I think there's a few misconceptions in that thread.
1. Reports are usually mistriaged because of knowledge gaps, not burnout.
2. Burning out can be mitigated by enjoying the work.
3. Rotations can be staffed to occupy a tiny amount of time for a single person.
@0xMatt
1
2
It also doesn't seem to take into account practices like redundancies, either across time (eg, prioritize first, respond later), or across staff (eg, primary and secondary).
1
1
It also doesn't seem to consider that the reporter of the bug, if incentiviced and encouraged to have the bug accepted, can be leveraged as a second layer of redundancy.
3
1
What I can see happen, however, is that it is hard for a consumer to find the right way to report a security problem, for example.
They also received the report in the right email around 11 PM on a Friday night. It's not like the whole investigations team was covering that weekend. The news went public on Monday.
If this has been a researcher instead of a consumer, they would be getting pummeled for dropping
2
1
The story is actually more interesting than what @k8em0 suggests, the flaw was found on Jan 19 (Sat), they tried to report it on Sun, wrote a postal letter on Tue, wrote an email with exploit vid on Fri, story broke Mon from another source. nbcnews.com/tech/security/ho…
Jan 31, 2019 · 12:03 PM UTC
1