cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

PAN-SA-2019-0020 ... really?

L7 Applicator

Hello Paloalto Team

 

Last thursday you published the securityadvisory for a critical RCE vulnerability and today you notified the customers again with an "Action recommended" article here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-Recommended-Recent-Security-Advisory...

 

In this article you write about that even if this vulnerability has been patched a while ago there are still customers that are running a vulnerable version. Did you really expect something else when you try to keep a critical vulnerability secret for more than a year? I mean, good that you found it and released a fix for it but even with internal discoveries you need to go public with it - obviously this is my personal opinion. This is the fault of Paloalto that many customers are exposed to a critical RCE vulnerability for more than a year. It probably would still be a secret if not someone else found this RCE, so you were forced to go public.

 

Probably some hard words but for a security company like Paloalto this was disappointing. No one is expecting perfect software. Everyone knows there are bugs and vulnerabilities. But specially with vulnerabilities there is a right and a wrong way to deal with. So now you have to live with the criticism of the security community ...

 

Regards,

Remo

Who Me Too'd this topic