[spoondan]

There’s a strong argument against disclosure of internally discovered bugs (security or otherwise) that have no evidence of user impact. Internal efforts to find and fix bugs improve actual quality/safety but, if indiscriminately announced, harm perceived quality/safety. We have seen repeatedly how bad security reporting of actual weaknesses can drive users to more risky alternatives or behaviors, lowering actual security and privacy. It’s just too easy to say that all major security defects should be announced or that no major defects should ever exist.

There are about 430 developers that could have exploited this vulnerability. There was no evidence in the available two weeks of logs of it being exploited. And the number of users and types of data available make Google+ a low value target. The decision to not announce was reasonable, common, legal, and moral.

It sets a poor standard to suggest they should have acted different because they’re now under fire from people with far darker motives than reporting truth or advocating for consumer privacy. Those exploiting the story for their own gain should be shamed rather than capitulated to.