Yeah? I’m saying I don’t get why the letter from the lawyer is unreasonable.
Sure, ideally it would have not been done via a lawyer but rather just asking them to delay going public directly since they were communicating before, but still it’s just three months after initial disclosure and they were actively making improvements and informing customers that they need to switch out hardware which I assume takes time, I think not wanting the researchers to go public just yet is pretty reasonable no?
Am I missing something?
As I said I’m not very familiar with security research stuff, maybe anything goes three months after disclosure, it just surprises me.
Also just to be clear: the work by the researchers here is super impressive, and it’s fantastic that they are doing it, I was just wondering about this disclosure process.
If you always allow a company to say "wait no don't" with issues, it gives them a tool to quiet problems without solving them. Responsible disclosure is a tool , and part of that tool is the understanding that this will be public
Sure, ideally it would have not been done via a lawyer but rather just asking them to delay going public directly since they were communicating before, but still it’s just three months after initial disclosure and they were actively making improvements and informing customers that they need to switch out hardware which I assume takes time, I think not wanting the researchers to go public just yet is pretty reasonable no? Am I missing something?
As I said I’m not very familiar with security research stuff, maybe anything goes three months after disclosure, it just surprises me.
Also just to be clear: the work by the researchers here is super impressive, and it’s fantastic that they are doing it, I was just wondering about this disclosure process.