Remix.run Logo
firer 3 hours ago

All too common... It's sad yet understandable how a company would not prioritize security.

At the same time, it's also understandable how a security start-up, upon (rightly) getting fed up waiting, decide to publicly disclose, as a way to scrape some PR out of the sunk cost. Public disclosure has a place. But if you truly care about helping, you could do more than bumping on HackerOne and messaging the CISO once on LinkedIn.

Maybe I'm too cynical but it truly feels like nobody actually cares at this point.

orphereus 3 hours ago | parent [-]

This comment is so weird. It is so vague to me and feels so off, like an alien from Men in Black trying to pass as a human.

How do they not truly care about helping? Also what sunk cost? What does that mean?

firer 2 hours ago | parent [-]

Hah, not trying to pass off as human. Just communicating with my fellow men in black ;)

To be as explicit as possible: whether disclosing this publicly actually did more good then harm is not that clear cut. Even if accounting for all the second order effects.

Regardless, as a business you'd still be compelled to publish, because you've already poured resources into this research, there's still a chance to gain something, and there is enough plausible deniability about your true priorities.