| ▲ | sd9 3 days ago | |
Disclaimer: UK citizen. I don’t know anything about ICE or whose side I’m “supposed to be on” politically here. I’m just responding to the details in the article. The app might as well be TodoApp. The vulnerability couldn’t have been reported in a worse way. OP gave unreasonably short deadlines, allowed moral opinions about the software to interfere with responsible disclosure, and interspersed details about the potential vulnerability with inflamatory remarks about the mission of the product. I don't think OP's goal was actually to secure the app. OP was going to publish a scathing blog post about ICEBlock either way, and essentially engineered a situation where the ICEBlock author had to act within unreasonable timelines. He published the original blog post an hour and a half after reporting the vulnerability. Then gave a week’s deadline before another one. Sure, potentially the ICEBlock author also allowed feelings to interfere with upgrading the vulnerable version too. But ICEBlock has millions of users, according to the blog post. I’m cautious about upgrading dependency versions for apps I manage with <100 internal users. In my experience, upgrades are 99% trivial, and 1% cause disastrous headaches and downtime. If I were the ICEBlock author, I would put this on a list of things to look into, and ensure that it was tested thoroughly if I did decide to upgrade. It’s not as simple as running “sudo apt upgrade”. And I imagine that given the scale of the product, the author has incredible demands on his time, and can’t just drop everything because somebody (who has already shown themselves to be communicating rather negatively) imposes an arbitrary short deadline. Now maybe it turns out that I’m unaware that ICEBlock is a huge net negative for the world, which is why this post has so many upvotes. But just interpreting the facts as they’re presented in the article, and substituting ICEBlock for TodoApp… I don’t see how the developer has acted unreasonably. Post script: I followed up and read the original blog post (https://micahflee.com/unfortunately-the-iceblock-app-is-acti...), which I largely agree with. I still think Micah has mishandled communicating the vulnerability. | ||
| ▲ | breakpointalpha 3 days ago | parent [-] | |
This was my immediate reaction as well. 1.5 hours is unreasonably short even for an acknowledgement message! My employer rarely has that level of urgency, let alone a side project that is probably revenue negative! This feels like a hit piece... | ||