Would like to know more here about whether this was responsibly disclosed and time given to the Zoom team to fix it. https://twitter.com/zackwhittaker/status/1245350371876315137 …
-
This Tweet is unavailable.
-
Replying to @argvee
Yes. Just because they are in the news doesn't make dropping 0-day in Techcrunch appropriate.
2 replies 4 retweets 31 likes -
Replying to @alexstamos @argvee
Disagree, it's a problem with the installation, and installations are spiking *now*, not in six months. Now is the time to make sure people are aware of the risks, good work
@patrickwardle. This is what real responsible disclosure looks like.5 replies 33 retweets 165 likes -
Replying to @taviso @alexstamos and
People think that the responsible and responsible disclosure means that You have some sort of weird responsibility to the vendor when that is in fact not the case :)
6 replies 10 retweets 64 likes -
Replying to @daveaitel @taviso and
indeed. one's responsibility isn't to the vendor, it's to the users who would potentially become victims. the way to avoid that is to give the vendor as much of an advantage over attackers as possible
1 reply 0 retweets 1 like -
Replying to @imaguid @daveaitel and
^^^ this. And it's not always the case that telling the vendor first/privately is best for potential victims, but it often is.
1 reply 0 retweets 2 likes -
That is self-serving garbage, "The best way to help victims is to make sure they don't know we sold them a shoddy product", how convenient. As a consumer, I want to know if you sold me a lemon, so I can tell you what I expect you to do about it.
2 replies 0 retweets 4 likes -
I think "Do we tell users the problem" and "Do we drop zero-days to prove it" are being conflated as a single issue here. You can tell users a product's security is shoddy as hell and still give the vendor time to fix the specifics. Zero-days are for vendors who
#wontfix1 reply 0 retweets 1 like -
I'm still open to the argument that Zoom as a vendor is labeled as a persistent
#wontfix vendor though, given their history with the hidden webserver debacle.2 replies 1 retweet 3 likes
The trouble is we tried that, and it doesn't work. There are two main problems. Firstly, it requires that vendors act in good faith, and many don't. Second, you need to amplify real risks above the constant noise of people saying something is broken without providing evidence.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.