1 Comment

  1. Kit Sunde
    June 9, 2017 @ 4:35 pm

    I understand the particular developer in question claims he hasn’t been paid since November. Wether or not that’s true, it doesn’t change how irresponsible and unprofessional it is to publicly announce 0-days (by him.)

    The ZenCash team should communicate how it wishes to receive security vulnerabilities and the policy surrounding that. Industry standard practices asks security researchers for a 90-day timeline to fix affected systems before the researchers can announce, unless an attack is in the wild or the information is already being passed around.

    It should’ve been clear that announcing security vulnerabilities should only be communicated through official channels like this blog or twitter and not by individuals front of 100 people on slack.

    Reply

Leave a Reply