indeed. one's responsibility isn't to the vendor, it's to the users who would potentially become victims. the way to avoid that is to give the vendor as much of an advantage over attackers as possible
-
-
Replying to @imaguid @daveaitel and
^^^ this. And it's not always the case that telling the vendor first/privately is best for potential victims, but it often is.
1 reply 0 retweets 2 likes -
That is self-serving garbage, "The best way to help victims is to make sure they don't know we sold them a shoddy product", how convenient. As a consumer, I want to know if you sold me a lemon, so I can tell you what I expect you to do about it.
2 replies 0 retweets 4 likes -
I think "Do we tell users the problem" and "Do we drop zero-days to prove it" are being conflated as a single issue here. You can tell users a product's security is shoddy as hell and still give the vendor time to fix the specifics. Zero-days are for vendors who
#wontfix1 reply 0 retweets 1 like -
I'm still open to the argument that Zoom as a vendor is labeled as a persistent
#wontfix vendor though, given their history with the hidden webserver debacle.2 replies 1 retweet 3 likes -
It does appear there are some standard anti-patterns in what they've launched that indicates a lack of adversarial mindset in the design and implementation phases. Do they have a history of
#wontfix ? Also, I've never met a dev team that responds well to shame and antics.2 replies 0 retweets 3 likes -
I don't agree that shame is involved in reporting a vulnerability. It's not an an insult, this isn't people calling their baby ugly, it's constructive and informative. People only report vulnerabilities in things they think need to be safe, that's a positive thing.
1 reply 0 retweets 9 likes -
I dunno. There's a lot of emotive language in the blogpost.
1 reply 0 retweets 1 like -
Sure, but I think that's a combination of writing for the intended audience with a casual blog-tone and the questionable growth-hacking Zoom are doing. In that context I think the language can be excused.
1 reply 0 retweets 1 like -
Shrug. I recognize there are people that don't care about the impact they have on others, but I do believe empathy goes a longer way than snark.
1 reply 0 retweets 7 likes
Yikes. Are we talking about the tone of the blogpost, or the disclosure policy?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.