[bogtog]

Is taking the website offline really necessary? If the vulnerability has been there for 1 year or so already, what harm does it being there for 1 year and an hour do? Also, maybe it's not clear to me exactly what is getting taken down, but I'm amazed that the chain from "person reading email" to "person that is permitted to take down the website" moves so quickly (or that the latter right is given so low in the hierarchy).

[simondotau]

Given the real money involved, keeping it online with this flaw in place isn’t an option.

[dewey]

It is a very real option. If it's not being exploited by hundreds of people right now and you make more money keeping the site up vs. what you lose in "fraud" it makes sense to keep it running.

Just like you don't shut down your store if someone stole some merchandise or how credit cards just factor fraud into the fees.

[shakna]

It's often a violation of both government laws and insurance contracts, if you knowingly expose that much financial information to a proven vulnerability.

There are businesses where if you suffer a theft, you shut everything down and run a stocktake. For example, an arms dealer. And there are times credit card providers shut down - because there is a known vulnerability, and they have to immediately mitigate, or lose their insurance.

[jessriedel]

Ok, but shutting down the website because of legal/moral responsibility to protect customer info is very different than doing so because of the “real money involved”, which is what commenter dewey was responding to. You can choose to just take the fraud cost hit in the latter case.

[lazyasciiart]

That's why people aim for the legal costs to be commensurate with the possible gain they will miss out on. Many corporate penalties are small enough that mathematically, it's absolutely worth simply breaking the law all the time.

[tehryanx]

I don't think this is a good analogy. It's more like you find that the lock on your stores front door has been broken for a long time and you just hadn't noticed. Nobody has broken in yet, but could at any moment. Also, it's not just your goods and business that are at risk, instead you're responsible for the protection of things that belong to other people.

[fragmede]

The optimal amount of fraud is non-zero. https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...

[idk1]

I expect the report triggered something in a contract somewhere and they were obligated to take it offline knowing there was an issue.