This is strong research, but the disclosure timing is hard to defend.
Publishing while the fix isn’t in a stable release means the vulnerability is public before most users have any practical way to protect themselves. That trade-off needs a clear justification.
Two weeks is too short to argue for meaningful uptake, and too short to justify early disclosure as a way to force action.
So what this effectively creates is a window where the vulnerability is widely known, but the fix isn’t realistically available to the people who need it.
There were better options — either wait until the fix is actually in users’ hands, or make a clear case for why early exposure was necessary. This does neither.
It was surprising that there wasn't an official release, even though the bug impacts otherwise routine, harmless workflows. The patch itself [1] framed the issue as "hypothetical," so the goal of the blog post was to demonstrate that it is not. I'm glad that after this blog post, the author of iTerm2 has agreed to release a fix.
This is strong research, but the disclosure timing is hard to defend.
Publishing while the fix isn’t in a stable release means the vulnerability is public before most users have any practical way to protect themselves. That trade-off needs a clear justification.
Two weeks is too short to argue for meaningful uptake, and too short to justify early disclosure as a way to force action.
So what this effectively creates is a window where the vulnerability is widely known, but the fix isn’t realistically available to the people who need it.
There were better options — either wait until the fix is actually in users’ hands, or make a clear case for why early exposure was necessary. This does neither.
It was surprising that there wasn't an official release, even though the bug impacts otherwise routine, harmless workflows. The patch itself [1] framed the issue as "hypothetical," so the goal of the blog post was to demonstrate that it is not. I'm glad that after this blog post, the author of iTerm2 has agreed to release a fix.
[1] https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86