> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes.
Understandable.
> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.
Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
> Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?
Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.
An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.
> Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.
Also understandable.
> [...] so they can take their own protective measures.
Little can the ordinary citizen do whose data is at risk of exploitation. All responsibility lies on the government because the citizens do not have any other choice, as it seems to me. What protective measure can someone take who is vulnerable?
With a thorough reading of the article, it is clear that the hackers are aware of what they are doing:
> Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.
The industry standard seems to be disclosure to the entity followed by a reasonable grace period, at which point the bug is disclosed to the general public (where there's room to quibble in what the definition of "reasonable" there is).
I'm not sure that helping individuals protect themselves is the main goal, though. It is important that entities respond to these issues in a reasonable timeframe, because if a small group of researchers, academics, or whatever can find a bug, then other nations' intelligence agencies or industrial espionage groups can as well.
Realistically, in the case of companies, the best an individual can do is not do business with them. In the case of government agencies in democratic countries, public pressure is the probably the way to go.
Understandable.
> While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. A failure to release notification of breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture. The clock to patch vulnerabilities began immediately when the DC3 contacted the NCIIPC via Twitter, as it is a highly visible space - one which threat actors avidly monitor.
Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?