5:15 PM -- If a vulnerability hurts users in the wild, and nobody reports it, is the vendor still a blockhead?
Today we've got a story in which customers of Wanadoo, the U.K.'s largest broadband ISP, "uncovered" a vulnerability in its account recovery system that provided access to personal information of some 20,000 Wanadoo customers. The ISP has pulled down the data and is working to fix the flaw. (See Wanadooops! Flaw Reveals User Data.)
Here's the thing, though: If you look at the Wanadoo user bulletin board where the vulnerability was revealed, you'll see postings that go back months, even more than a year.
So why didn't somebody report it? Did the cat have their tongue? Were their typing fingers removed in some bizarre accident?
New rule, folks: If you know about a vulnerability, you should tell the site/company that might be affected. (Okay, actually, that's an old rule, but you get the idea.)
Every day, researchers around the Web do us all a service by reporting flaws that they find in software, systems, and networks. Vendors may hate hearing that they have a problem, but I guarantee that they will hate it more if they don't know about it.
This is a team game. Vendors may have a lot of money, which makes us envious, and they may be snotty when you call for help, which ticks us off. But they can't be everywhere, all the time. In this case, if Wanadoo users get hacked, we need to blame those who didn't report the vulnerability, just as we do the vendor who created it.
Tim Wilson, Site Editor, Dark Reading
Organizations mentioned in this story