At least read about responsible disclosure before being so flippant about things like that.
Esser put people at risk. Whether or not anything happens is irrelevant. He put them at risk and we need to recognize that is the cost of full disclosure.
If you're fine with that, cool, but don't pretend he didn't do anything.
> If you're fine with that, cool, but don't pretend he didn't do anything.
Don't speak for me. I never said he did the right thing. I said stop spinning what-ifs about it, but clearly what I should have said is STFU and do something about it. People getting in each other's grill isn't doing something about it. It's blaming others for whatever issues we, as a group, find polarizing.
>That's non-provable until we see it instantiated.
That's not how risk works. I don't even know where to start. If you play a round of Russian Roulette and happen to hit an empty chamber, do you say it's impossible to prove you were at risk? Do you see now how dumb that argument is?
If he publicized a vulnerability, the risk to all of the affected systems is increased. Period.
It's the same way that EMPs are a risk to airlines. If someone releases a method to generate them very easily, they increase the risk to all airlines. You don't have to wait until an airline is brought down before you say the risk was increased.
Well, Apple knew about the vulnerability long before Esser reported it though. So "responsible disclosure" whould have achieved nothing, so we should not be comparing public disclosure to it, but be comparing public disclosure to no disclosure.
Esser put people at risk. Whether or not anything happens is irrelevant. He put them at risk and we need to recognize that is the cost of full disclosure.
If you're fine with that, cool, but don't pretend he didn't do anything.