It is a bit odd to go to a journalist first with a vulnerability disclosure and then when they are patched poorly to just publicly disclose instead of going back to the vendor. 'Several weeks' does not even seem like an extremely long time span either all things considered.
On the other hand even major players are constantly having low hanging fruit bugs delivered to them very cheaply due to bug bounty programs (like the two recent Facebook bugs). Paying $5k a bug and having no other costs (such as bad press) could be 'cheaper' than actually giving people security training and having audits. If companies started getting burned by these failures maybe they would work harder to prevent them ahead of time.
1 comment
[ 6.2 ms ] story [ 15.3 ms ] threadOn the other hand even major players are constantly having low hanging fruit bugs delivered to them very cheaply due to bug bounty programs (like the two recent Facebook bugs). Paying $5k a bug and having no other costs (such as bad press) could be 'cheaper' than actually giving people security training and having audits. If companies started getting burned by these failures maybe they would work harder to prevent them ahead of time.