Hacker News new | past | comments | ask | show | jobs | submit login

The article's logic doesn't make sense.

In every vulnerability, the users are the victims. Web stores aren't a special case in the debate of "responsible disclosure" vs "immediate disclosure".

GitLab changed their stance from "responsible disclosure" vs "immediate disclosure". That's their choice, but they shouldn't mince words about it.

The users here are the users browsing the web store with the intent to purchase something, not the server operators. Both are victims if the malware author's intent is successful.

In the usual sense of a server having a vulnerability, there are just two parties involved: the server operators, and the malicious party exploiting the server. That's the case in which GitLab is saying to not publish a list of such vulnerable servers. In this case, the server operators are not yet victims; responsible disclosure is supposed to help us (the good guys) keep it that way.

But in this case, we have an already exploited server. The server operators are already victims. The point of publishing lists here is to attempt to prevent the malware from further skimming credit card numbers off users attempting to purchase goods from the infected storefronts. Like before, the point here is to prevent more people from falling prey to the skimmers here, but the action we must take to do so effectively is the opposite.

I don't think this could be accurately described as merely a _vulnerability_ disclosure. These web stores are already compromised, therefore anyone that makes a purchase is exposing their payment information. Furthermore there is no "responsible" way to contact thousands of web stores across the globe. The best case for disclosure is Google's Safe Browsing beginning to warn users immediately.

That is not the issue here. The issue is that the webshops aren't the problem code-wise but business-wise. They don't want to maintain their software that hosts the shop, completely ignore private disclosure or simply ignore it. If they don't want to fix it, the next best thing is to warn people about it.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact