Yesterday I published the article “ Small Problems of a Big Company
.” I could not even think that the publication of such simple vulnerabilities would cause such a storm of emotions. The sole purpose of this article was to tell that besides the security problems of the services, there is also the security problem of the end users. On the same day, I was contacted by the user Skip_C_Dragg, who introduced himself as a CNews journalist and asked me to answer a few questions. I think that was my biggest mistake. Cutting out of context a part of my answers, an article “Holes” appeared in mail.ru
on the Cnews portal to be closed with blackmail
Vulnerabilities are not critical for the company, they are critical only for the user who is targeted to attack. And that is why I decided to publish them. This is exactly what I wrote in the reply to the journalist: “All these vulnerabilities are not so much critical for the company, as critical for the user. No one wants his data to be used or destroyed in any way. ”Indeed, I did not publish all of the vulnerabilities, but, as I told the journalist, I’m not going to publish any new vulnerabilities without prior notification of the portal’s management: I am going to immediately publish the remaining vulnerabilities, of course, first I will again send the information to the portal management, as I always do. So I do not think that “blackmail” is the right word for this. ”. In response, the journalist said that “Well, yes,“ blackmail ”is not quite in substance, but the title is not really my competence.”
The word blackmail itself is used illegally in the title of the article. I officially declare that I have never sent and did not intend to send threats to Mail.RU. I never threatened Mail.RU and did not demand money for my services. I provided all the reports to Mail.RU for free. I hope this is confirmed by official representatives.
Yesterday, an employee of Mail.RU contacted me and thanked for this report. He also said that "a place inside the company where your past message about holes was stuck was also found." After that, I removed all the details about vulnerabilities from the article.
Unfortunately, the journalist is no longer responding to my letters. I hope that he reads this section, so please consider the letter as an official request to refute some of the information contained in an article on the CNews website, as well as clarifying details that were “modestly silent”.
UPD. Thanks to everyone who supports me! I beg you not to lynch a journalist, after publishing this article, he contacted me and really did everything that depends on him, at the moment words are added to the article about the fact that I will continue to inform the portal management before publication. Perhaps this is the only case where the most important letter gets into spam. Unfortunately, the title of the article is not within the competence of the journalist and he can not fix it.
UPD. 09/15/2010 7:00 p.m.
Maxim Kazak, Chief Editor of CNews, sent me an answer to my letter. The editor-in-chief of CNews instructed to replace the word “blackmail” with “passed to public publicity” I hope that today I will see the changed title. I think that in this story I’m most to blame myself, and in the future I’ll definitely use the advice of the user dime. Thank you all!
UPD. 09/16/2010 3:40 PM
The word “blackmail” has been removed from the headline of the CNews article! I want to thank the leadership of CNews for understanding and prompt decision making.