This morning I got a phone call from a phone number in Isreal. It was Tal, an engineer from Plimus. Tal wanted to know about the issues I had found and what solutions I had in mind. Tal also explained their plans for fixing all issues and all the issues that are involved with changing their API.
I’ll be keeping an eye on Plimus to see how they are doing, but now I’m confident that someone at Plimus understands their security issues and they are working on fixing them.
I still have an important message for Plimus and every other company that receives security advice from a random person from the internet. Be happy that person tells you about the security issues and doesn’t abuse them in secret.
And when you receive security advice, you should handle it well. I have spend months exchanging emails and twitter messages and writing several blogposts only to get marketing people telling me I’m confused. Just one phone call from Tal was more informative for both me and for Plimus than all those months together.
Don’t wait months before forwarding issues to engineers.