Comment by jabiko
3 years ago
I'm wondering how your two quotes "security of our customers is of the utmost importance to us" and "we believed there was something" fit together given that the issue stayed open for three years?
So for three years you believed there was something, yet you didn't invest sufficient resources to reproduce and/or understand the issue, while at the same time, all these three years security was of utmost importance?
Hey, I got into more details in my internal discussion with the researcher and previous post, but around the time we determined we couldn't replicate it, we got a similar report leading me to believe this was already closed. I didn't believe there was something the whole time. It was a mix-up on my side, and I'm sorry about it.
I think I understand, I've also fallen victim to losing track of things, so I understand. If you haven't, maybe having a policy of trying to have zero security issues in the backlog would help here? That way things can't get lost, and if they're closed then at least the other party can see their issue has been closed and act accordingly (maybe try and escalate or something if they still think it's a real issue).
Wouldn't the wrong party, after getting an erroneous closure email, have immediately followed up, multiple times probably if the first one was ignored?
It's still unclear what prevented the follow up communications from making its way to you.