Plimus is working on issues
This morning I got a phone call from a phone number in Isreal. It was Tal, an engineer from
Plimus. Tal wanted to know about the issues I had found and what solutions I had in mind. Tal
also explained their plans for fixing all issues and all the issues that are involved with
changing their API.
I'll be keeping an eye on Plimus to see how they are doing, but now I'm confident that someone at
Plimus understands their security issues and they are working on fixing them.
I still have an important message for Plimus and every other company that receives security
advice from a random person from the internet.
Be happy that person tells you about the security issues and doesn't abuse them in secret.
And when you receive security advice, you should handle it well. I have spend months exchanging
emails and twitter messages and writing several blogposts only to get marketing people
telling me I'm confused. Just one phone call from Tal was more informative for both me and for
Plimus than all those months together.
Don't wait months before forwarding issues to engineers.