Hacker News new | past | comments | ask | show | jobs | submit login

The point is the "lock" can't be immediately replaced, by the user, in most software exploit scenarios. That's why you delay, so the company can ship a new "lock" so that when malevolent forces who didn't know of the exploit learn of it the new "lock" is ready to do duty.

It depends​ on the specifics of what's being exploited but in general I think a short delay between informing those who can fix it and those who will exploit it is generally more moral.




The lock cannot be replaced, but it can be put behind another lock or temporarily taken out of commission.

In the case of the Lastpass exploit it would've been to not use Lastpass for a few days. That's one benefit of direct disclosure to the user.


That really isn't an option for most users. People who use a password manager are pretty much forced to use that password manager, at least if they're using it properly. Most users won't know how to export it to a CSV and then use that without a browser extension and/or import that to another password manager.


This vulnerability didn't affect Android or iOS apps. A user could have transcribed passwords from mobile to browser for a few days.


Also "not using it" depending on the kind of exploit may mean completely shutting down the account until the vulnerability is fixed.


Isn't that the right thing to do for truly sensitive passwords?

I'd much rather transcribe my financial account passwords to paper, or not log in for a couple days than have multiple months where a vulnerability might be exploitable




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: