[billy99k]

It is irresponsible. It brings attention to an issue that has not yet been resolved, which will likely lead to users getting data stolen/scammed.

Even the most security-aware companies have a process to fix vulnerabilities, which takes time.

I would never hire someone that doesn't reaponsibly coordinate with the vendor. In most cases it's either malicious or shows a complete lack of good judgement.

In the case of bobdajrhacker? Both.

[siffin]

It could never be anywhere near as irresponsible as the original bad security practices, though. At some point, if you wanna make money by handling people's sensitive data, you are the responsible party, not everyone else.

[Retric]

Some companies will keep systems vulnerable indefinitely. If a company hasn’t fixed the issue in a year, public disclosure is likely a better option than doing nothing.

[kevincox]

Yes, that is why responsible disclosure almost always comes with deadlines. You give the chance for the company to resolve the issue and mitigate user impact. But if they are taking so long that the user impact will be higher than you just disclose.

[akerl_]

What if your assessment is that the user impact is already high enough that the right time to disclose is immediately?

[kevincox]

If you assess that the best time to publicly disclose is immediately then disclose immediately.

But I find that this case is rare. Typically it would be something like many of the following being met:

- It is likely to be discovered by an attacker soon.

- History shows that the company is unlikely to fix it soon.

- Users have some way to protect themselves.

- Your disclosure is likely to reach a significant number of users.

[akerl_]

How do you know it hasn’t been discovered by another attacker already?

[ranger_danger]

You don't, but you make a judgement call based on different criteria, such as how difficult the issue was to find, maybe how popular/big the site is, etc., as to whether or not you think anyone else is likely to know about it already.

[93po]

users at large have a right to know if their data is being handled recklessly by any person or group, and just because some entity has arbitrary rules and poor communication/practices on how they want to tell them disclosures, it doesn't in any way make it irresponsible to let the public know: hey, your shit is getting recorded and is available for anyone to download and listen to.

[4ndrewl]

Why do you think this? It clearly says that RBI fixed the issue on the day they it was found and disclosed.

It seems pretty reasonable to publish, given that?

[saagarjha]

Are you in a position to hire security engineers?

[jvdh]

It was resolved? In the 'Timeline: The Speed Run' section they list:

"Day 1, same day: RBI fixes everything faster than you can say "code red""