> Which is better: Finding a bug and bringing attention to it, or someone malicious finding the bug? The latter is objectively worse, but people keep trying to punish researchers for not following the third path of "Report it in private, following strict and lengthy procedures, and make no mention of it until a timeline of their choosing."
He put a lot of details out there that simply weren't necessary, and I think this is where the problem lies for a lot of people. Please explain to me how making the distinction between "There's an RCE" and "There's an RCE that's exploitable by messing with <feature X> in the API" benefits anybody besides nefarious actors (when the software developer is already working on a fix, as LastPass was at the time)?
He put a lot of details out there that simply weren't necessary, and I think this is where the problem lies for a lot of people. Please explain to me how making the distinction between "There's an RCE" and "There's an RCE that's exploitable by messing with <feature X> in the API" benefits anybody besides nefarious actors (when the software developer is already working on a fix, as LastPass was at the time)?