[jay-barronville]

If it’s been 3 years since you reported a vulnerability, they’ve done nothing, and you can confirm the vulnerability still exists, you should tell the public about it since you’ve done your part as far as responsible disclosure is concerned—the public should know.

[underlogic]

I don't get this responsible disclosure. Responsible to whom exactly? It takes leverage from security researchers who have risked their valuable time. Now the companies with lax security can dictate their pay, if any, through bounties while threatening them not to discuss their findings. It's corrupt

[jay-barronville]

> Responsible to whom exactly?

Unsuspecting users.

When you don’t give companies a chance to fix a vulnerability that could have serious consequences for users, you’re effectively putting the users in harm’s way by disclosing it to the public. Bad actors will take advantage of that information very quickly. Nothing good comes out of that.

Whether you like the company or not, remember that the users have no idea they’re at risk.

[ls612]

“Wouldn’t it be a shame if we charged you with felonies under the CFAA. Now be a good little boy and shut up about our vulnerable systems.”

That’s basically the logic at play here, covered in an Orwellian veneer of “responsibility”.

[minkles]

It's not a vulnerability as such. It does retain data between two executions however that it shouldn't but we're in control of both executions so that doesn't really classify as a vulnerability.

Basically something is stateful that shouldn't be, probably because it's built on Lambda.