A lot of people have burnt a lot of energy pointlessly on technical solutions to this (such as well-known URLs pointing to vulnerability report pages), but the fundamental problem is simply that most vendors don't know that they need to do something here, and until they're educated, nothing else will help them.
Just as important, the post is a PSA that there are 9 websites whose users remain vulnerable, and people with accounts on these sites should check their 2FA and password recovery settings. The websites are: Amazon, AOL, Finnair, Gaijin, Mailchimp, PayPal, Venmo, Wordpress.com, and Yahoo.
 Link to paper: https://www.issms2fasecure.com/assets/sim_swaps-03-25-2020.p...
The barrier to entry of re-education outside of SMS for a lot users is more expensive than the security itself.
Not trying to justify their actions, merely show that profits can explain some of these.
" Narrator: A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."
Is there an aspect of this movie quote that does not apply to vulnerabilities?
It might very well be true that $425 million is cheaper than it would have been for them to have better security practices, i.e., a metaphorical recall.
This applies to other companies that have suffered large-scale data breaches. What were the consequences to Target, T.J. Maxx, or Home Depot for their data breaches? Did they suffer a meaningful loss in market share as a result of their lax security? Heck, I would be surprised today if many customers even remembered that these retailers had a data breach, much less factor that into their decision to shop at those places.
It's to the point where, if I see a publicly traded firm suffer a major data breach, I almost want to buy stock in it, knowing that the price will dip temporarily due to whatever one-time fees the firm pays out, but will rapidly return to pre-breach levels as consumers forget that the company leaked their personal information like a sieve.
At this point, it's easier to name companies that have not been breached.
And yet, despite every year bringing news of yet another breach of credit card data or other personal information, there are approximately zero long-term consequences. Consumers quickly forget, and are only reminded if they get a notice of a class-action settlement 5 or 6 years later for a paltry amount per customer.
But people don't go up to my home and say how they can break in. Nor do people go to companies and say "listen, if I go in here as some repair guy with a walky talky, security will let me right in! And then I switched into an office suit and talked to Janet at accounting, and she gave me your private financials by simply asking her. Train your reception and train Janet."
I understand that you want to keep open source software safe, because everyone is using it. So by helping it to be more secure, that's a win. But why isn't the same happening with companies in a physical sense? The public interacts with them.
Or are there 'vulnerability reports' (or whatever you call them) on those things? Then they're simply not posted here.
Penetration testing handles the physical security of the company. [DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin!
[Hacking the Wetware: Compromising Companies with Social Engineering](https://www.youtube.com/watch?v=vujs9un-8no)
The perspective I'm taking is the criminal one, not the cyber criminal one.
This article covers some big name companies, there are others that are critical too:
1. National tax collection organisations.
That, in my experience, prevent the fixing of problems, with anti-useful reporting channels.
I've not yet found any third party it's sensible use for the reporting.