Comment by jorge_leria
3 years ago
The fact that we kept it in triage means that we believed there was something. Also the reporter gave a really good explanation.
By the time the report was originally sent the feature was just released, and while we never deployed a code change to directly address it, it wouldn't be the first time that we receive something that I believe it was genuinely a security issue and stopped being reproducible due to an seemingly unrelated change around the same time.
I'm wondering how your two quotes "security of our customers is of the utmost importance to us" and "we believed there was something" fit together given that the issue stayed open for three years?
So for three years you believed there was something, yet you didn't invest sufficient resources to reproduce and/or understand the issue, while at the same time, all these three years security was of utmost importance?
Hey, I got into more details in my internal discussion with the researcher and previous post, but around the time we determined we couldn't replicate it, we got a similar report leading me to believe this was already closed. I didn't believe there was something the whole time. It was a mix-up on my side, and I'm sorry about it.
I think I understand, I've also fallen victim to losing track of things, so I understand. If you haven't, maybe having a policy of trying to have zero security issues in the backlog would help here? That way things can't get lost, and if they're closed then at least the other party can see their issue has been closed and act accordingly (maybe try and escalate or something if they still think it's a real issue).
Wouldn't the wrong party, after getting an erroneous closure email, have immediately followed up, multiple times probably if the first one was ignored?
It's still unclear what prevented the follow up communications from making its way to you.
It's a really simple vulnerability though. It comes of like you're not really on top of things when you cant reproduce or close it.