commending excellent security disclosures

I had not heard of OAuth before reading a post today on LiquidMatrix about an OAuth vulnerability, found right after a pretty large round of exposure from Twitter adoption.

A big vuln and the pulling back of support is a big deal, but I’d just like to point to OAuth’s own explanation of the security bug.

This article discussing the details of the bug is excellent (especially given a very confusing bug). It gives detail, it remains honest and open, it demonstrates understanding of the issue. I wish all vendors, closed and open, would be more like this. Yes, fine, it makes the sales and marketing teams feel squeamish, but this sort of open cultural attitude is going to make a difference. Maybe not today, maybe not even in ten years, but someday it will be necessary as the world grows up into technology and efficient information-sharing.

So, regardless of what I think about OAuth or the vuln, props for a great disclosure discussion.

Update 1:37pm: So I saw this Google Group posting, and I have to shake my head and think, “Really? Did you just try to say this? Fail.” The statement, “Please do not speculate or publicly discuss the actual details of this or other threats.” Hopefully someone smacks his hand and tells him not to try that tact again.