Discord should publicly disclose security bugs that affect user data.
I realized that Discord didn’t disclose to users when security bugs were patched, and only the reporter knows about it (but they can choose to disclose it like I disclosed mine). As a (terrible) security bug reporter, I request that users are notified when things like their data are put at risk. Back in September, I found a security bug where your token could be obtained by a bug inside the desktop client. I felt like users should have been informed that things like their data could have been leaked.
I am surprised that no one else actually figured the bug out before me, as it wasn’t that hard to spot if you were looking for it. It only required that users visit a website in order to be exploited, meaning that user data could have been vulnerable. While I am not a total data freak, I would want to know if my data/account was vulnerable to something so I could reset my password and token.
I think a blog, support article, or something equivalent should exist. (I would even be fine with an official server that people could join if they wished to be notified of security bugs.) Users should have the right to know about security bugs that could affect their data.
I have no reason to believe that someone else has user data from this bug, but I think users should have been informed about it by Discord itself, as it posed a risk to people’s data. Most companies inform users about these types of bugs, so I think Discord should, too.
Note: Please do not bring shame to Discord over this. This is just a suggestion and I’m not implying that Discord is doing anything wrong.
Personally, I would also agree with this. I feel that being kept in the know helps to reassure and educate users post-incident and that also helps to build trust going into the future.0
Zaloguj się, aby dodać komentarz.