I don’t understand the drama about Google discovering an internal G+ bug and not announcing it. Everyone does that. Nobody announces. You don’t know 1/1000th of the horrible vulnerabilities pentesters find in these kinds of places.
3
33
118
Conversation
If every horrible bug had to be announced (and: some obviously do need to be), nobody would get anything tested. It’d all be downside.
1
3
20
This Tweet was deleted by the Tweet author. Learn more
Google didn't discover any data breach using the vulnerability, which is the point is making in the first place. GDPR doesn't require disclosing discovered / fixed vulnerabilities, only data breaches.
It's completely unrealistic to disclose whenever vulnerabilities which could have led to a data breach are fixed. That's obvious to people working in security but may not be to people unfamiliar with it. Even if feasible, it could discourage finding vulnerabilities internally...