

Whisper suffers from critical security flaws - joewee
http://www.xipiter.com/musings/a-confederacy-of-privacy-dunces-what-we-found-under-the-hood-of-an-anonymous-chat-app-used-by-millions

======
mukyu
It is a bit odd to go to a journalist first with a vulnerability disclosure
and then when they are patched poorly to just publicly disclose instead of
going back to the vendor. 'Several weeks' does not even seem like an extremely
long time span either all things considered.

On the other hand even major players are constantly having low hanging fruit
bugs delivered to them very cheaply due to bug bounty programs (like the two
recent Facebook bugs). Paying $5k a bug and having no other costs (such as bad
press) could be 'cheaper' than actually giving people security training and
having audits. If companies started getting burned by these failures maybe
they would work harder to prevent them ahead of time.

