07-24-2019 10:29 AM
Hello Paloalto Team
Last thursday you published the securityadvisory for a critical RCE vulnerability and today you notified the customers again with an "Action recommended" article here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-Recommended-Recent-Security-Advisory...
In this article you write about that even if this vulnerability has been patched a while ago there are still customers that are running a vulnerable version. Did you really expect something else when you try to keep a critical vulnerability secret for more than a year? I mean, good that you found it and released a fix for it but even with internal discoveries you need to go public with it - obviously this is my personal opinion. This is the fault of Paloalto that many customers are exposed to a critical RCE vulnerability for more than a year. It probably would still be a secret if not someone else found this RCE, so you were forced to go public.
Probably some hard words but for a security company like Paloalto this was disappointing. No one is expecting perfect software. Everyone knows there are bugs and vulnerabilities. But specially with vulnerabilities there is a right and a wrong way to deal with. So now you have to live with the criticism of the security community ...
Regards,
Remo
