[autoexec]

I do think hitting "send" on the email to the responsible party immediately before publishing (or at least notifying them as quickly as you can afterwards) is a smart thing to do. I mean, why wouldn't you? My concern was more about the "Not having a bug bounty or dedicated email address does not make it OK to go public immediately" comment. It can sometimes be difficult to track down the right person to notify and so when the risks to people are high enough whichever one you can accomplish the soonest is probably where I'd start.

[fragmede]

Depending on the severity of the issue. Emailing support with a draft of the blog post and waiting even a couple of hours for a response so they can fix it first would have been more responsible than dropping the blog post to the whole wide world and catching Mullvad with their pants down.

[autoexec]

Why wait for a couple of hours for a response while people who could protect themselves are getting harmed? It's especially true when you don't know if the maintainer/vendor will get back to you at all, or if they even check their mailboxes regularly.

The priority should be on protecting users, and not helping the company responsible for the vulnerability save face, or give them extra time to spin up their PR team, or get a head start on a patch.

When the risk to users is low, or when there's really nothing users can do to protect themselves anyway I'd agree with you. In a case like this where the risk to users can be extremely high, and the moment they are made aware of the problem there are steps the user can take to eliminate that risk, the safety of those users should outweigh inconvenience to the people responsible for the vulnerability

[fragmede]

The problem is how do you notify users? What are the chances that a Mullvad user is going to happen across this blog post? Of the entire world of Mullvad users, somewhere between 0 and 100% of their users is going to read it and be in a place to do anything about it. If I were to make up a number though, I'd guess it's somewhere between 1 and 10% of Mullvad users. On the other hand, by telling Mullvad first, so Mullvad can fix their system first, closer to 100% of Mullvad users get the fix before attackers figure out the issue.

Mullvad fucked up. They should been as inconvenienced as thru possibly could be too fix the problem promptly! The issue is irresponsible disclosure hurts more users than it helps.

[autoexec]

> What are the chances that a Mullvad user is going to happen across this blog post?

It's not as if the odds of new would-be exploiters seeing it are any better. It helps that the people who are at the most risk tend to have their ear to the ground already because they know what's at stake.

When the risks are this high you have to assume that it's already being actively exploited. That means that already there are more attackers who know about the vulnerability than there are users who know about the mitigation.

All you can do at that point is let as many users as possible know how to protect themselves while Mullvad figures out how to fix the issue on their end, writes and puts out the update, and the remaining users get around to updating their systems. You can't save everyone, but hopefully you at least gave some people the chance to save themselves.

[hmry]

Oh yeah fair enough