Quote:
Originally Posted by daveT
Have to give it to the crowd for reminding this person about responsible disclosure.
I have sympathies both ways. But as an employee of a security company, we always contact the vendor first, and **** I am grateful when someone contacts us about a problem with our stuff before disclosing. I am fine with them disclosing after the window is closed, no one needs to pretend to be perfect but I'd really prefer not to get owned if possible.
I once worked for a company that had a very bad dns poisoning exploit in it's dns resolver. We found this out at a conference where a security researcher specifically called us out in his talk (along with a small list of other companies). He told us right before the talk, although he may have informed the company before then. We had no one who really worked on security at all. That became my job for nearly a year, and I learned a lot, mostly, that we are really and truly ****ed. Security on the web and home PCs is mostly like deadbolts on your door. It's just a barrier to the least determined criminals. The best defense is not having anything interesting or useful to be stolen.