Disagree, it's a problem with the installation, and installations are spiking *now*, not in six months. Now is the time to make sure people are aware of the risks, good work @patrickwardle. This is what real responsible disclosure looks like.
-
-
Replying to @taviso @alexstamos and
People think that the responsible and responsible disclosure means that You have some sort of weird responsibility to the vendor when that is in fact not the case :)
6 replies 10 retweets 64 likes -
Replying to @daveaitel @taviso and
indeed. one's responsibility isn't to the vendor, it's to the users who would potentially become victims. the way to avoid that is to give the vendor as much of an advantage over attackers as possible
1 reply 0 retweets 1 like -
Replying to @imaguid @daveaitel and
^^^ this. And it's not always the case that telling the vendor first/privately is best for potential victims, but it often is.
1 reply 0 retweets 2 likes -
That is self-serving garbage, "The best way to help victims is to make sure they don't know we sold them a shoddy product", how convenient. As a consumer, I want to know if you sold me a lemon, so I can tell you what I expect you to do about it.
2 replies 0 retweets 4 likes -
I think "Do we tell users the problem" and "Do we drop zero-days to prove it" are being conflated as a single issue here. You can tell users a product's security is shoddy as hell and still give the vendor time to fix the specifics. Zero-days are for vendors who
#wontfix1 reply 0 retweets 1 like -
I'm still open to the argument that Zoom as a vendor is labeled as a persistent
#wontfix vendor though, given their history with the hidden webserver debacle.2 replies 1 retweet 3 likes -
It does appear there are some standard anti-patterns in what they've launched that indicates a lack of adversarial mindset in the design and implementation phases. Do they have a history of
#wontfix ? Also, I've never met a dev team that responds well to shame and antics.2 replies 0 retweets 3 likes -
I don't agree that shame is involved in reporting a vulnerability. It's not an an insult, this isn't people calling their baby ugly, it's constructive and informative. People only report vulnerabilities in things they think need to be safe, that's a positive thing.
1 reply 0 retweets 9 likes -
I dunno. There's a lot of emotive language in the blogpost.
1 reply 0 retweets 1 like
Sure, but I think that's a combination of writing for the intended audience with a casual blog-tone and the questionable growth-hacking Zoom are doing. In that context I think the language can be excused.
-
-
Shrug. I recognize there are people that don't care about the impact they have on others, but I do believe empathy goes a longer way than snark.
1 reply 0 retweets 7 likes -
Yikes. Are we talking about the tone of the blogpost, or the disclosure policy?
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.