Comment by vednig

It should be a standard to make bugs public or disclosed to the affected companies atleast a while after it's discovery so at least the companies which are connected to each other can implement their own fix,other wise having closed deals with security researchers behind doors and asking them not to reveal the truth, isn't going to prevent bad actors from using the vulnerability. It is times like these we should reconsider our standard in terms of web security as a whole.