← Back to context

Comment by cjbprime

6 years ago

> users should be informed right away so that they can take steps necessary to secure themselves

For the record, this could be accomplished by a trustworthy source announcing "there is a critical vulnerability in Zoom's macOS software and you should uninstall it immediately pending vendor response". Some researchers do this already -- Tavis Ormandy has, for example.

It's not a binary choice between no disclosure and releasing an unpatched PoC.

By the way, I'm not trying to argue that this researcher behaved unethically, just sharing another option. My usual take is that the researcher gets a lot of leeway for having to make a difficult decision and presumably trying their best to balance consequences, similarly to how a pilot trying to land an emergency plane has great discretion in how they do so.

Unfortunately in this case "uninstall it immediately" does not actually mitigate the vulnerability, since it will just reinstall itself if you come across a triggering link.