[penguat]

Another minor consideration - here in the UK this was posted at 10PM - not exactly a friendly hour. It would have been nice to schedule the post for a time when UK businesses expect to operate. I don't expect they would have thanked you for it in any case, but they would probably have had both a better response time and a better organised response

[Nexxxeh]

They had 17 months, and their Twitter account was still posting at 9pm this evening.

If they gave two shits about our data (and it might include mine, it definitely includes my mum's), or if they were capable of a sensible helpful coherent response, they'd have done it 16.5 months ago.

[Nexxxeh]

In reply to the child post (of my other comment), because I can't do so directly due to nesting limited:

>Have you read any of the above?

>It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.

I had, at the time of writing my post, read all the comments on this story. I was commenting specifically on the parent's point about what time of day the story of was posted. I don't disagree with you re: ICO.

However I don't think it's fair to characterize the disclosure as irresponsible. The fault lies with the vendor for not patching. Publicizing guy followed industry standard practices for responsible disclosure. Vendor is just fucking useless.

I'm unhappy, as I'm sure it'll cause an increase in spam and possibly spearphishing to my mum, which I will subsequently have to deal with. Yey. But that's Moonpig's fault.

Edit: And in response to the response to the response...

>Why are you saying the fault lies with the vendor? Do you think nobody knows that? Do you think that's not obvious? Do you think that's what I was commenting about?

Because it does. No, I think everyone knows that, however it was relevant to the rest of the paragraph. I don't think that was what your child post was about, however I didn't want to make ANOTHER post to voice my opinion.

>There's a difference between reading and comprehension.

I read AND UNDERSTOOD the comments, I was of course referring to your rhetorical question implying that I hadn't even read them. Apparently you didn't comprehend that?

[clobec]

Why are you saying the fault lies with the vendor? Do you think nobody knows that? Do you think that's not obvious? Do you think that's what I was commenting about?

There's a difference between reading and comprehension.

[penguat]

yes, quite clear that they didn't give it the priority it warranted (aka giving a shit) - just wanted to point out that there was a friendlier option timing wise. For my money, I'd have seen this disclosed 11 months ago - it's a serious vulnerability to the extent that I'm glad I've never used moonpig.com - but I'd have seen it disclosed in the UK daytime when the company was awake to be able to shut down its API. There's even an argument to be had that waiting as long as this is a little irresponsible - although that's covered to some extent by following up.

I don't know if it's legal to give advance warning of public disclosure - that could easily become a minefield as it might be interpreted as a threat, and linking it to a request to fix could seem coercive.

[clobec]

Have you read any of the above?

It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.