[nknighthb]

If there was irresponsibility in the disclosure, it was in waiting so long, presumably allowing many more people to sign up and become exposed to Coursera's negligence.

The cargo cult of "responsible disclosure" needs to die. Responsibility lies with us, the developers.

[shortstuffsushi]

Well, yes and no. Ultimately yes -- Coursera should have been more diligent about considering the implications of their API endpoints.

On the other hand, telling the whole internet before they've addressed the items he told them about, and potentially opening them up to more scrutiny (likely less white-hat like) is not an especially helpful thing to do.

[nknighthb]

Coursera is a large, high-profile site. I am quite certain it did not take a law professor's blog post to bring black-hat scrutiny to it or any other site, server, or technology deployed on the public Internet.

[shortstuffsushi]

It may or may not have. These holes have been present presumably since the launch of these APIs. However, the author has now made public specific vectors of attack. You may be right that hackers have already been aware of them. In either case, does making these publicly known benefit Coursera, or its users in any way? I can't think of how it could possibly help, but I can certainly see how it might hurt -- anyone who comes across that page now might feel the urge to further 'explore' these findings.

[nknighthb]

It's telling that your first concern is for Coursera (which deserves no concern at all) and only then its users.

There are definite benefits for Coursera's existing users -- at the very least, they now know it is vulnerable to cross-site attack and can be sure to log out before visiting other sites.

Another set of people clearly benefiting are those I've already alluded to, who now know not to sign up for Coursera.

[shortstuffsushi]

I'm not really sure how you infer the first line there. I'm in no way defending Coursera -- clearly they need to run their services through some better security checks.

I still generally disagree with your second point -- informing users of a security breach/flaw could (and should, even now after this article was published) be done by Coursera. In this situation, they should be the ones who come forward to their users and A. describe what the issues at hand are and B. describe how to avoid falling victim to them. The author of this article doesn't provide any suggestions for the non-tech-savvy.

Regarding users not signing up, perhaps you're right. It does prevent them from potentially losing their private information. In all likelihood, though, users who don't sign up after reading this article will never sign up. Yes, I realize this primarily hurts Coursera, so in this case, my concern is for them. It also means that potential users miss out on whatever they might gain from the site. A better option that Coursera itself might offer is a temporary "hey, we aren't accepting new users right now -- check back in a week" or something.

And again, I do not believe Coursera should just forgiven for something like this. As I mentioned, I've never been on the site, probably never would, and now am even less likely to do so, as I have no faith in them. I still don't believe that publishing open security holes is the right solution, unless they specifically said something along the lines of "yeah, we're not gonna fix that."

[nknighthb]

Your exact words were: "does making these publicly known benefit Coursera".

Whether it benefits Coursera isn't just the last question anyone should ask, it should never be asked. It's nobody's responsibility to provide any benefit to Coursera.

Your argument that "[Coursera] should be the ones who come forward" seems out of place, save as another attempt to deflect attention from Coursera's failings. That someone has a duty to act does not generally preclude others from acting.

"The author of this article doesn't provide any suggestions for the non-tech-savvy." implies that we should be less concerned for tech-savvy users. Why would that be, exactly? Do they have less to lose, or is this another attempt to deflect responsibility?

Your claims to not be defending Coursera sit uneasily with clear attempts to deflect responsibility from them.