[moron4hire]

I read that and said a literal WTF. How is it at all acceptable to honor such a request? What possible good reason could there be?

Unless the discloser was the US Government and the request was actually a court order. But this seems ludicrous. If they require secrecy around the exploit, they wouldn't have disclosed it to Mozilla at all.

[Jare]

Mozilla is probably unable to disclose not just the vulnerability, but other surrounding info they may have been provided, including which other parties have received that info. They are not saying the Angular team is unaware of the problem, right? Only that they themselves are not the ones reporting it.

If you don't honor such request without a VERY STRONG reason, nobody in their right mind will ever disclose anything to you ever again. Right now we don't and can't know if such a strong reason exists.

[moron4hire]

"They are not saying the Angular team is unaware of the problem, right?"

Are we just going to assume the folks at Mozilla are clairvoyants? How would they know what the Angular team knows? If it's known in general that the Angular team knows about this issue already, perhaps through other means, then the statement that they haven't disclosed this to the Angular team makes no sense. The statement is, "Mozilla is choosing to do it's part to keep Angular in the dark about this."

[TheRealPomax]

Well, there's https://github.com/mozilla/addons-linter/issues/1000#issueco... ...

[Jare]

And now one of the researcher has commented https://github.com/mozilla/addons-linter/issues/1000#issueco...

[threatofrain]

Mozilla is definitely in a position to reject NDA protected security information, but then they wouldn't have been privy to the security information which a researcher was conditionally offering.

Would it be better to reject the information outright? Or would you suggest that Mozilla make agreements in bad faith, deceitfully agreeing to terms they don't intend to honor?

[xorcist]

I have no idea if that is the case here, but it is completely normal that some vulnerabilities have a set disclosure date to allow for coordinated responses. You can either get the information early but under non-disclosure, or along with everyone else. Most people play by these rules (with a few notable exceptions).

[jMyles]

> Unless the discloser was the US Government and the request was actually a court order.

If this were the case, I think it's actually the best reason to disregard the request of the discloser and disclose, as it's now in the public interest (ie, closing a possible backdoor being used to surveil dissidents, etc), not merely part of a private agreement.

But yeah, if mozilla signed an NDA on this, that seems like it was a bad move from the get-go.