Were these vulnerabilities disclosed to CyberLock at all before the results were published? If not, I can't blame them for being angry. Not saying they shouldn't be publicly disclosed in addition to private disclosure, but you have to give a company a fair chance to review the vulnerabilities and at least respond to you before you publish.
According to a comment from phar (one of the researchers) on the article, they gave a month's notice and CyberLock ignored it for 29 days:
we started a 30 day clock and if at any point someone had responded and said "we need more time", we could have provided more time (to some limit of course).. we even gave them a few extra days after they contacted us on day 29 since no one has done the math
A convenient approach since it lets them whine like children about how they weren't given enough lead time.
>Not saying they shouldn't be publicly disclosed in addition to private disclosure, but you have to give a company a fair chance to review the vulnerabilities and at least respond to you before you publish.
Why? They are the ones who let a vulnerable system onto the market. Why should I be forbidden from going public with legally obtained information when I have no contract with them? I should not share in any blame for their security vulnerabilities as I was never allowed to share it any of their profits (monetary or otherwise).
Simple ethics. If you contact them, you can at least give them time to patch the flaw for software, or time to start producing a new line of locks in this case. If you release it to the world before they're even aware of it, there's a gap where there is absolutely no mitigation whatsoever.
>If you contact them, you can at least give them time to patch the flaw for software, or time to start producing a new line of locks in this case.
Will I be paid for the effort? Or am I expected to give them information for free when they would never do the same for me? Ethics is a two way street and after superfish (among other issues) I owe this company no ethical obligations.
>If you release it to the world before they're even aware of it, there's a gap where there is absolutely no mitigation whatsoever.
Quite a convenient way to blame me for their security flaw in their product. No, this is solely on them, and as I already pointed out, they have aready burned up any professional ethical obligations.
That's a significantly short amount of time to be able to address an issue before knowledge of the vulnerability becomes public knowledge.
I'm all for releasing a vulnerability after it a) is mitigated or b) becomes clear the responsible party has no plans to address the vulnerability in a timely fashion.
One day is in no way responsible unless the researchers were told pointedly that there was no plan to address the issues.
They (claim they) gave the company 30 days, and assert they could have extended it if it seemed a fix was upcoming and a few more days were necessary, but they only ever got ignored or lawyer-threatened over it.
In a later PDF, the lawyer complains about IOActive wanting access to company engineers on "a few days notice".
I really don't support people throwing around the DMCA, but if the company's lawyer's complaints are accurate (if) then IOActive sounds like they prioritized having a quasi-journalistic "scoop" over professionalism.
