Our SecureWorld media team always watches with interest when a security researcher notifies a company of a critical cybersecurity vulnerability.
Will the company ignore the warning or downplay it? Will the company silently patch it without saying a word so it can act like it never existed?
We've seen all of these things.
On the flip side, we're increasingly seeing companies talk about the vulnerability, own it, and fix it quickly.
That's what happened over the last week with a password manager called Keeper, which some members of our team use.
From the Keeper Security blog:
"On Dec 14, 2017, Tavis Ormandy (a highly-respected security researcher at Google) contacted us about a potential vulnerability in our browser extension update. To resolve this issue, we removed the 'Add to Existing' flow and have taken additional steps to prevent this potential vulnerability in the future. From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours (Dec 15, 2017).
All customers running Keeper’s browser extension on Edge, Chrome and Firefox have already received Version 11.4.4 (or newer version) through their respective web browser extension update process. Customers using the Safari extension can manually update to version 11.4.4 (or newer) by visiting Keeper’s
download page. No reports of any customers affected by this bug have been reported to Keeper. Mobile Apps and Desktop Apps were not affected and do not require updates."
So make sure you received that update to the latest extension version, and if you're using Safari, make the update right now.
Do you agree that more companies are taking ownership of vulnerabilities, and then taking action to end them?
