[dsacco]

That's a pretty heavy handed definition of irresponsible disclosure.

The onus of patching security flaws is on the company, not the security researcher. Responsible disclosure is a courteous and respectful form of helping a company fix their vulnerabilities, but it ceases to be responsible if agreeing to keep a vulnerability private enables the company to swipe it under the rug.

Top security talent at Facebook and Google can patch complicated vulnerabilities in a matter of hours, days or weeks. 17 months, even for the most unsophisticated engineering team, is inane. At that point, you could have spent 17 months rewriting the entire codebase from scratch.

What the discloser did here was perfectly reasonable - 90 days is typically considered the upper limit of time for a company to fix a vulnerability. This is typically the time that a vulnerability will be automatically eligible for public disclosure on, say, Hackerone. 17 months? No way.

Also, downvoting is a valid way to express disagreement, see this comment by Paul Graham: https://news.ycombinator.com/item?id=117171

[clobec]

I still don't see why he had to do this?

He has plenty of time to inform the ICO of this issue. He contacted moonpig then let the sit on this for a year.

If he wants to be a disclosure hero, he could have at least told the ICO at the same time he told moonpig.

The issue is 100% Moonpigs fault but he chose to disclose publicly rather than use the legal route set up to deal with these kinds of issues.

The whole responsible disclosure scene needs a reboot and people need educating on the responsible way to deal with these issues. Public disclosure should be a last resort (within reason). Not even contacting the ICO before doing this is shocking to me.

[eth0izzle]

OP here and I agree with you. The ICO genuinely didn't even cross my mind and in hindsight I probably should of gone via that channel before publicly disclosing. Are there any set procedures to follow for this sort of thing?

[penguat]

Another minor consideration - here in the UK this was posted at 10PM - not exactly a friendly hour. It would have been nice to schedule the post for a time when UK businesses expect to operate. I don't expect they would have thanked you for it in any case, but they would probably have had both a better response time and a better organised response

[Nexxxeh]

They had 17 months, and their Twitter account was still posting at 9pm this evening.

If they gave two shits about our data (and it might include mine, it definitely includes my mum's), or if they were capable of a sensible helpful coherent response, they'd have done it 16.5 months ago.

[Nexxxeh]

In reply to the child post (of my other comment), because I can't do so directly due to nesting limited:

>Have you read any of the above?

>It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.

I had, at the time of writing my post, read all the comments on this story. I was commenting specifically on the parent's point about what time of day the story of was posted. I don't disagree with you re: ICO.

However I don't think it's fair to characterize the disclosure as irresponsible. The fault lies with the vendor for not patching. Publicizing guy followed industry standard practices for responsible disclosure. Vendor is just fucking useless.

I'm unhappy, as I'm sure it'll cause an increase in spam and possibly spearphishing to my mum, which I will subsequently have to deal with. Yey. But that's Moonpig's fault.

Edit: And in response to the response to the response...

>Why are you saying the fault lies with the vendor? Do you think nobody knows that? Do you think that's not obvious? Do you think that's what I was commenting about?

Because it does. No, I think everyone knows that, however it was relevant to the rest of the paragraph. I don't think that was what your child post was about, however I didn't want to make ANOTHER post to voice my opinion.

>There's a difference between reading and comprehension.

I read AND UNDERSTOOD the comments, I was of course referring to your rhetorical question implying that I hadn't even read them. Apparently you didn't comprehend that?

[clobec]

Why are you saying the fault lies with the vendor? Do you think nobody knows that? Do you think that's not obvious? Do you think that's what I was commenting about?

There's a difference between reading and comprehension.

[penguat]

yes, quite clear that they didn't give it the priority it warranted (aka giving a shit) - just wanted to point out that there was a friendlier option timing wise. For my money, I'd have seen this disclosed 11 months ago - it's a serious vulnerability to the extent that I'm glad I've never used moonpig.com - but I'd have seen it disclosed in the UK daytime when the company was awake to be able to shut down its API. There's even an argument to be had that waiting as long as this is a little irresponsible - although that's covered to some extent by following up.

I don't know if it's legal to give advance warning of public disclosure - that could easily become a minefield as it might be interpreted as a threat, and linking it to a request to fix could seem coercive.

[clobec]

Have you read any of the above?

It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.

[peteretep]

https://ico.org.uk/concerns/handling/