[jrockway]

Don't shoot the messenger. The security hole was there for everyone to independently observe. Not telling the public just meant that the public couldn't take their own countermeasures.

Blaming security researchers for finding holes is a very strange anti-pattern. We should be blaming vendors for shipping insecure products!

[sopooneo]

It's going to happen. Even with full care and diligence there will still be some products shipped with security flaws. It is not ethical to give the company no heads up, not even anonymously.

[daeken]

For what it's worth, this isn't "some security flaws". The device itself allowed unauthenticated memory reads (as a matter of design -- it uses them), and the card crypto is done using a proprietary algorithm and a 32-bit key. It's not that there are security holes, it's that there are security Grand Canyons.

[jrockway]

You're assuming that the security researcher is the first person to discover the issue. That's rarely the case. Keeping quiet just gives users a false sense of security and ensures that they can't mitigate the security impact on their own (without the help of the vendor).

Knowledge is power. We shouldn't censor ourselves because someone somewhere can be evil with some information. They have other ways of getting the information anyway.

[tzs]

The following is meant to be general, rather than about this particular case.

Assuming the goal is to minimize harm, then when to disclose depends on an interplay of several factors. Here are some of them:

1. How many people will discover and exploit the flaw on their own if it is not publicly disclosed.

2. How many people will exploit it if they find out about it, but will not discover it on their own.

3. How fast knowledge of the flaw will spread to the people of #2 without public disclosure. E.g., through word of mouth in hacker or researcher circles.

4. How many users of the flawed system will be able to use knowledge of the flaw in order to protect themselves from the people of #1 and #2.

5. How long the flaw will remain available.

6. How lessons from this flaw will teach others to build more secure systems.

Disclosure affects #2 (disclosure increases harm), #4 (disclosure decreases harm), sometimes #5 (disclosure might push a vendor to action), and #6 (disclosure decreases harm).

[huggah]

What purpose does this serve? In general, I agree with you, because most vulnerabilities can be fixed by the vendor in some reasonable (<6 months) amount of time, and by telling the vendor about the vulnerability beforehand, you help reduce the window where the attack can be easily exploited.

This is not such a case; the vendor had no reasonable way of fixing this. Others had probably already discovered (and used) this vulnerability, and in the long term fixing this vulnerability quickly requires motivating the company to do so. Disclosing it privately wouldn't have held much benefit, and might have been detrimental (the company may have tried to use legal means to prevent or penalize the public disclosure).