Comment by rolltiide
6 years ago
as demonstrated, "responsible disclosure" is a huge time waster for the discovery, and the price of this is undervalued even if the company had a clear bug bounty program.
its more valuable than 90-days of a developer's time, not even correlated to time at all really
I guess this depends on your definition of responsible. Something like this however is bad enough that users should be informed right away so that they can take steps necessary to secure themselves. Assuming they were responsive I'd have given them the 10 days to confirm it was an actual issue, but I'd have expected them to notify the pubic and their users of the issue and mitigation steps within a week.
> users should be informed right away so that they can take steps necessary to secure themselves
For the record, this could be accomplished by a trustworthy source announcing "there is a critical vulnerability in Zoom's macOS software and you should uninstall it immediately pending vendor response". Some researchers do this already -- Tavis Ormandy has, for example.
It's not a binary choice between no disclosure and releasing an unpatched PoC.
By the way, I'm not trying to argue that this researcher behaved unethically, just sharing another option. My usual take is that the researcher gets a lot of leeway for having to make a difficult decision and presumably trying their best to balance consequences, similarly to how a pilot trying to land an emergency plane has great discretion in how they do so.
Unfortunately in this case "uninstall it immediately" does not actually mitigate the vulnerability, since it will just reinstall itself if you come across a triggering link.
2 replies →