Dear Mr. Edwin,
I am terribly sorry that the internet news reporters decided to sensationalize this whole thing. I am a Feedly supporter myself and I truly enjoy it. And I agree too with some security professionals / researchers that Feedly did respond timely and quote Davey Winder, "ethical disclosure at its best". However, people decided to interprete my blog post their way and put Feedly in a bad light. The blog post is meant for a extremely small community and technical findings / tips / news archive, however, it was 'scraped' and re-packaged without even notifying me. For the record, I informed no one and spoke to no writers before this whole thing went down.
And on my blog, I wrote the contents as objective and technical as I could and quoted only facts, however limited they may have been. Any inaccuracies that was pointed out I did my best to correct them. As Feedly had stopped communicating with me after they fixed the problem, i had zero visibility (and I am not saying that Feedly owes me to provide any). To be fair, I did ask Feedly to advise on Feedly's steps to ethical disclosure, however, I did not receive any responses despite multiple emails. This means that I did not know that it was a backend fix until much later when I tested it myself (and still I can't be entirely sure until you helped confirmed it later) and I didn't know it was fixed before the 17th when Feedly released v19.3.0 (thus i added 'estimated'). As always, it is part of an individual duty to inform the public and as advised by recognised security body whom i shall not name, I only published this finding about a month after the fix.
Unfortunately, this post unexpectedly went kinda viralled, probably because Feedly is in the fore-front of cloud RSS service provider. Like other major players such as Facebook, Google and Microsoft, Feedly is facing her onslaught of security news. Nevertheless, I believe the reporters of the various news sites should have contacted Feedly and myself to do fact-checks before publishing the articles. Feedly has an awesome track records in its services and security responses, and like any other giants, people will forget about this and continue to support Feedly.
This is a war against insecurity both real and deadly vulnerabilties and also the usual crowd paranoia. And I believe that soon enough, this will blow over like any other news. Someone will find something in somewhere else and this will be quickly be forgotten.
I wish you and Feedly a continuous success.
P.S. For what's worth, this article speaks of my thoughts: http://www.daniweb.com/web-development/javascript-dhtml-ajax/news/477537/feedly-android-javascript-zero-day-found-fixed-and-can-be-forgotten
Yours sincerely,
Jeremy S.
No comments:
Post a Comment