| ▲ | darth_avocado 2 days ago | |||||||
It is common practice to give the company sufficient time and communicate, and then release the details once the vulnerability is patched. But it’s also common in practice to disclose the vulnerability after a set period of time if the company does not engage in any form of communication and refuses to patch the vulnerability. In this case they didn’t engage in any form of communication and then partially patched the problems. Nothing out of the ordinary here. | ||||||||
| ▲ | eclipticplane 2 days ago | parent | next [-] | |||||||
What _isn't_ common practice is actually copying and posting company material on your blog. Just because a door is unlocked does not give you the right to take materials & post them. | ||||||||
| ||||||||
| ▲ | none_to_remain 2 days ago | parent | prev [-] | |||||||
I have seen this in practice for vulnerabilities that affect many users of some software. If some Hackermann finds that Microsoft Windows version X or Oracle Database server version Y has a security flaw then disclosure is virtuous so that people using those can take measures. That reasoning doesn't seem to apply here. | ||||||||