> Without a deadline of some form, when do you escalate to public knowledge so customers can know they might get defrauded in some capacity?
You set a deadline after an initial conversation and urging them to fix it, if they don’t respond. I think the idea would be to escalate slowly. Like the original poster said large tech companies like know how to do this and streamlined the process. But, to someone not familiar with the process it looks like threats and deadlines imposed by a random person.
I am not defending the company just presenting their possible point of view. It’s worth seeing things with their eyes so to speak to try to understand their motivations.
But that is the intention, isn't it?
The company showed neglect. The researcher has a moral right ( and I would say duty) to make that public.
It's nice of them to give the company some time to get their shit together. After the vulnerability has been fixed there is no issue for customers in publishing about the neglect. The bad press for the company is deserved.
rdtsc|8 days ago
You set a deadline after an initial conversation and urging them to fix it, if they don’t respond. I think the idea would be to escalate slowly. Like the original poster said large tech companies like know how to do this and streamlined the process. But, to someone not familiar with the process it looks like threats and deadlines imposed by a random person.
I am not defending the company just presenting their possible point of view. It’s worth seeing things with their eyes so to speak to try to understand their motivations.
master-lincoln|8 days ago