[__jonas]

That was an interesting talk!

I'm not very familiar with security stuff, but I didn't really get the responsible disclosure thing – is it really unreasonable for this company to ask them not to go public just three months after their initial disclosure?

I understand the 'it was known since 2013' thing, but they did also say the company was actively making improvements after the initial disclosure so they were not exactly just shoving it under the rug were they?

[Hikikomori]

They got letter from their lawyers no?

[__jonas]

Yeah? I’m saying I don’t get why the letter from the lawyer is unreasonable.

Sure, ideally it would have not been done via a lawyer but rather just asking them to delay going public directly since they were communicating before, but still it’s just three months after initial disclosure and they were actively making improvements and informing customers that they need to switch out hardware which I assume takes time, I think not wanting the researchers to go public just yet is pretty reasonable no? Am I missing something?

As I said I’m not very familiar with security research stuff, maybe anything goes three months after disclosure, it just surprises me.

Also just to be clear: the work by the researchers here is super impressive, and it’s fantastic that they are doing it, I was just wondering about this disclosure process.

[aunderscored]

If you always allow a company to say "wait no don't" with issues, it gives them a tool to quiet problems without solving them. Responsible disclosure is a tool , and part of that tool is the understanding that this will be public