[tw04]

This was posted 18 hours ago. If you can't either verify the user has actual access to other people's consoles (at which point you should be immediately turning access off) in 18 hours, then you should probably just close up shop because you have no business providing remote access to a can of soup much less someone's firewall.

If the user in question was making it up, you should also have posted within minutes of discovery that the user in question (and multiple other people) were making false claims.

Again, they've chosen the "we're looking into it" route which is always reassuring.

[kevincox]

> If you can't either verify the user has actual access to other people's consoles [...] in 18 hours, then you should probably just close up shop

It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.

[tw04]

>It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.

So it's impossible for me to prove that nobody has walked through my front door today? I'm quite confident it isn't. I'm also confident if they have sane logging in place, they can prove accounts weren't being accessed by unauthorized users.

You're also talking in vagaries like they're hunting a ghost. They've been interacting with a willing end-user who originally reported the error.