[sjy]

They didn’t disclose for months, and when they did, they failed to credit the researcher who found the bug, and started their blog post by saying “This is a fancy way of saying we’ve dialed up the security of the app. It wasn’t unsafe before, but it’s double safe now.” That sucks.

[bawolff]

Everyone's talking about low payout, but honestly the timeline seems much more annoying to me and harder to justify (was the fix for this really that hard?)

[algesten]

They can't go back in time and change how they did it, and they did explain and apologised for not handling it correctly.

Stuff like that happen. We should only judge them if they screw up like that again.

[luckylion]

Aka "first murder is on the house, the second one you pay for".

[tobr]

How does it make even a little sense to compare this to murder?

[jcelerier]

consider murder a metasyntactic variable

[omginternets]

I'm not sure I agree with the parent poster, surely this isn't exactly murder.

[KMag]

It's a hyperbolic cheeky way of pointing out that they're getting off the hook for their first gross transgression. The GP isn't in any way suggesting mishandling this security issue was equivalent to murder.

They're pointing out that if the transgression were more severe, we'd easily see right through the hole in the reasoning.

[omginternets]

In its hyperbolic cheek, it overlooks the fact that we can overlook a first offense, precisely because it’s not a matter of life and death.

[tobr]

You can’t just substitute different transgressions and use the same reasoning. There are plenty of crimes where it’s reasonable to be more lenient to a first-time offender, but murder is not one of them.

[arghwhat]

There are no crimes where it is reasonable to be lenient to a first-time offender. It's a matter of intent: Lenience is given to accidents (usually still only the first occurrence), which may or may not have caused a crime.

What they did was to silence a security researcher, produce marketing material with falsehoods, and as a result ultimately damage their customers by allowing a security vulnerability to remain present, and not raise alarms afterwards that customers need to ensure that they were not exploited. They actively decided that harming their customers was okay if it allowed them to avoid attention.

This is not an accident, but an intentionally committed crime. No lenience is warranted.

[gopiandcode]

The comparison to murder seems apt when we're looking at this in terms of intent rather than severity. The original response stated that we should forgive slack because "things like this happen", playing off the incident like an accident, when this was clearly not the case.

[KMag]

There's a difference in kind between leniency and suspending all judgement. The GP was explicitly in favour of suspending all judgement.

They didn't accidentally spin this so hard into a cover-up. Sure, if they showed a repeated pattern of such behavior, they should see greater consequences, but they still deserve to get called out hard on their first cover-up.