I haven’t heard of #Giggle before but apparently they not only had a pretty bad vulnerability allowing anybody to query information of all accounts, they also made some rather questionable privacy choices. https://research.digitalinterruption.com/2020/09/10/giggle-laughable-security/
According to the researchers, they were first ignored when they attempted to report the issue. Eventually, they received a response but not the kind they hoped for. Not sure why they had to state their disagreement with @email@example.com’s views, but it clearly rubbed her the wrong way.
From that point on, things went only downhill. @salltweets vehemently denied the existence of any security issues, claiming that the whole thing is a harassment campaign – despite not having received any details. She sent them a DM but apparently blocked the account later.
And she claims that @DI_Security@twitter.com researchers publicly called her a transphobe. Not sure what this is about, I could only find a tweet by @firstname.lastname@example.org who appears to have no relation to the researchers. Judging by the way @email@example.com responded she thinks otherwise.
So today she proceeded by once again attacking the researchers and criticizing journalists who were asking her about the security vulnerability, restating that it didn't exist.
Somehow, the email communication still happened, the right person received the report and confirmed it. So a bit later today @firstname.lastname@example.org started sharing the image below – without retracting any of her claims, somehow assuming that this reinforces her points.
The good news is: the vulnerability has been fixed. The researchers had to publish their findings early given the repeated attempts to undermine their credibility. The questions about privacy issues remain of course.
The bad news: @email@example.com threatens to sue the researchers unless they let her approve the publication first. They kindly decline, as they should. And she shares that communication publicly as well, somehow assuming that it puts her in a better light?
Yes, the vulnerability disclosure process is often a messy affair. But this mess here shadows everything I've seen so far.
Update: today #Giggle’s @firstname.lastname@example.org published a new statement. It’s a good first step, though for my taste it’s a bit thin on reflection of her own role in this mess. What’s still missing however is some statement on the privacy issues. Will these be fixed as well eventually?
A Mastodon instance for info/cyber security-minded people.