What Happens When a Software Company Ignores a Disclosed Vulnerability?

Even worse, they argued that a security backdoor was “critical for their seamless user experience.” In other words, we want it to be easy, not secure. Zoom fixes webcam flaw for Macs, but security concerns linger.

When a security researcher finds a problem, you get 90 days. They ignored the issue for 10, then they were able to confirm the issue. They held the first meeting on day 72, and came up with a “solution” that didn’t fix anything. Or in other words, Epic Fail.

You can find discussions of the technology all over the place, but I’m more interested in the insanity of the corporate schmucks. (You can find one such link at the bottom of this post.)

“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom CISO Richard Farley, said in a blog post. “But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”

That statement is the key. Here’s what the CISO was really saying, when you strip out the corporate double-speak.

We didn’t see the value in fixing the problem pointed out by the security community because we give a rat’s ass about our clients’ security and privacy, and this fix would tarnish our image (or something), but when it was clear it was turning into a PR disaster we decided that maybe we aren’t as smart as we think we are, and will promise to value security in the future. Cross our hearts…

So what happens when a SW company ignores the security of their customers? They get handed their hats. (Schneier on Security has details on the technology, if you want to more info.)

Advertisements