Comment by amenghra

5 years ago

Good. This sums it up pretty well:

    I also think that it would have been appropriate to notify about the
    ulterior motive behind this defect report at the latest when the paper got
    published. This underhanded approach of reporting a defect just leaves a bad
    taste, really.

    The behavior may be an actual defect in the classical sense, but I'm just
    wondering what would have happened, had this been addressed "in time" by the
    developers. It would seem that the researchers would then have triumphantly
    proclaimed that all major browsers are prone to their newly found attack.
    Must be somewhat disappointing that it didn't get fixed "in time" to make it
    into the paper that way.

2 comments

amenghra

TomatoDash 5 years ago

I wonder if that behaviour is misconduct under the rules of the researcher's university. It seems at least highly questionable for a university employed researcher to, in effect, feature request a privacy vulnerability in order to later be able to publish an academic paper on that vulnerability.

anaphor 5 years ago

Seems like this is a pretty clear ethics violation on the part of the authors.