> It was 1.5 working days, and there are other factors not mentioned in this article which meant they were lucky to get that
In your article you also wrote that you didn’t bother reporting it at all when you first discovered it. Why did you wait until the article was ready to be published to inform them?
Standard practice is to inform the vendor early and work with them as you write the article. Keeping the issue quiet and then demanding a rushed response when the article as done isn’t helpful to people who actually want the issue fixed before it goes public.
> If they had requested an extension, I may have considered, but they didn't respond at all.
Why would they request an extension when they fixed the issue a day before you tried to contact them? They should have written back and pointed you to the already-released security update, but I can also understand why they aren’t thrilled to engage with someone who is trying to make a mountain out of an issue they had already fixed.
There's more than one issue here, and you're conflating them. IF the logging issue was non-public and non-resolved at the time I wanted to publish my article, I'd probably have given them longer.
> Why would they request an extension
If they thought 1.5 working days wasn't enough to provide GPL sources, for whatever reason. I don't see how you can argue that 1.5 days is simultaneously too short, and not in need of an extension.
Your outrage sounds disingenuous. 1.5 days is definitely not a reasonable timeframe for a response to a partially resolved issue. What is 1.5 days in this context? Friday afternoon and Monday? Do you and their security engineers even live in the same time zone?
I've read through these comment chains a few times, but I'm having a really hard time finding the "outrage", disingenuous or otherwise. Can you quote the part of the comment that displayed outrage?
>Do you and their security engineers even live in the same time zone?
Reading through this thread, you can find where the OP says that the time zones were accounted for.
I know nothing about the product they are selling. As an engineer, I think writing a critical blog post after giving just a 1.5 day notice is bad behavior.
> Standard practice is to inform the vendor early and work with them as you write the article
This isn’t even remotely standard practice.
A fair number of people and companies will give the vendor a chance by doing coordinated disclosures this way - but it’s in no way standard practice.
Also when a company has a history of being openly hostile to disclosure attempts and downplaying stuff, the only way to force improvement tends to be “short warning, or even full disclosure”.
I’ve done everything from coordinated to “no warning” disclosures in my career, and at this point I tend to lean more towards “no warning” in situations where a vendor has a history of dismissing concerns or openly being hostile to external researchers.
For security issues, this is true. For finding that the company is lying, evil and obviously engaging in malicious practices... why ask them for a comment at all, except for a better blog post? Fuck them
Journalist integrity, but the author has expressed in several comments that he doesn't care about that. Which is fine I suppose, but it's weird to pretend to be a journalist or security researcher and not adopt any of their ethical standards.
> Why did you wait until the article was ready to be published to inform them?
AFAIK the OP did not start writing his article until after they resolved it, which they did within 24 hours.
quoting the blogpost now, "firstly because I hadn't fully thought through the impacts at the time"
The issue was overlooked by OP up until concerns were voiced by other community members which ultimately got the problem patched within 24h of it being noticed.
You claim "the amount of negative spin in the article left a bad taste in my mouth.", but you seem to be the only one spinning quotes out of context to fit your narrative
> AFAIK the OP did not start writing his article until after they resolved it, which they did within 24 hours.
No, the article says he did not report it (I don't know what you mean by "within 24 hours") and that he started writing before they fixed the issue. From the article -
> Fortunately for everyone else, the latest RabbitOS update (v0.8.112) addressed this issue while I was midway through writing this article.
From parent comment -
> You claim "the amount of negative spin in the article left a bad taste in my mouth.", but you seem to be the only one spinning quotes out of context to fit your narrative
The second sentence in the post begins with
> Critics unanimously agree that it sucks
And follows up with
> A week or so ago I bought an R1 on eBay for £122 (which is still way more than it's objectively worth). So why did I buy this garbage, in full knowledge of its garbage-ness?
The hostility toward the company is infused in the article.
Agreeing with the reviewer consensus that the product is mediocre is not "hostility". My blog post, on my personal blog, delivers objective technical analysis along with my personal opinions.
I don't owe anyone an emotionless regurgitation of facts, it would be incredibly boring.
The issue was first overlooked up OP, see quote from my previous comment.
Vuln was first mentioned in the community server on the 10th of July at 22:21 GMT+2
Rabbit then right on cue, on the 11th of July at 22:00 GMT+2 release the new OTA and patch notes, quickly followed by their security announcement 31 minutes later.
OP was the one who found the existence of these logs which were overlooked at first, until community members realized the contents of these logs and inability to remove them could be harmful
In your article you also wrote that you didn’t bother reporting it at all when you first discovered it. Why did you wait until the article was ready to be published to inform them?
Standard practice is to inform the vendor early and work with them as you write the article. Keeping the issue quiet and then demanding a rushed response when the article as done isn’t helpful to people who actually want the issue fixed before it goes public.
> If they had requested an extension, I may have considered, but they didn't respond at all.
Why would they request an extension when they fixed the issue a day before you tried to contact them? They should have written back and pointed you to the already-released security update, but I can also understand why they aren’t thrilled to engage with someone who is trying to make a mountain out of an issue they had already fixed.