
Help Us Tell Telly That They Have Exposed 8M Subscribers - cwn
https://www.riskbasedsecurity.com/2016/10/help-us-tell-telly-that-they-have-exposed-8m-subscribers/
======
tlb
The timeline isn't completely clear, but it appears to be less than 10 days
since they were first notified. If so, this is irresponsibly early for a
public disclosure. CERT's guideline is 45 days:
[https://www.cert.org/vulnerability-analysis/vul-
disclosure.c...](https://www.cert.org/vulnerability-analysis/vul-
disclosure.cfm)

~~~
jkouns
Disclosure of vulnerabilities over the last decade has been a challenge and
there are lots of different views on how things should be handled no doubt.
And it is clear that we are now running into the same issues with data
breaches, in terms of vendors/organization being non-responsive, as in the
past with vulnerability reporting.

However, to be clear the CERT guideline you pasted refers to vulnerabilities
in software, and not open data on the Internet, ie: an active data breach.

If you look at the CERT FAQ as to why 45 days you see this:

\------------------------ Q: Why not 30 days, or 15 days, or immediately?

A: We think that 45 days can be a pretty tough deadline for a large
organization to meet. Making it shorter won't realistically help the problem.
In the absence of evidence of exploitation, gratuitously announcing
vulnerabilities may not be in the best interest of public safety.
\--------------------

That 45 day timeline is referencing an organization having the ability to fix
the vulnerability, and getting the patches out to affected customers so they
can implement.

The Telly situation is different. There is an open database exposing customer
data (which is simple to correct btw) and they are non-responsive, ie: not
even ack'ing the issue or asking for more time to correct the issue. The post
does not provide the location of the data, nor details such as a typical
vulnerability report would include on how to exploit the software.

Many people will have their own view points on a situation such as this, but
the real focus should be on getting the database removed from the Internet as
quick as possible, and Telly taking the proper action ASAP.

