Wardle provided details to Zack Whittaker, a reporter for the publication TechCrunch. Responding to a tweet from Whittaker that promoted his article, Heather Adkins, the director of security and privacy at Google, asked whether the bugs had been "responsibly disclosed" to Zoom and whether the company had been given time to fix the vulnerabilities.
Security researchers normally consider 90 days to be a reasonable period for fixing any bugs; Google's own Project Zero team gives companies this amount of time to fix a bug and then reveals details immediately after this deadline expires.
Zoom has been one of the few companies that has seen its share price rise sharply during the coronavirus pandemic, due to the fact that there are so many people using it to work from home after circumstances forced huge numbers to operate from their residences.
Supporting Adkins, former Facebook chief security officer Alex Stamos tweeted: "Yes. Just because they [Zoom] are in the news doesn't make dropping 0-day in TechCrunch appropriate."
But Tavis Ormandy, a well-known member of the Google Project Zero team, sharply disagreed. "Disagree, it's a problem with the installation, and installations are spiking *now*, not in six months. Now is the time to make sure people are aware of the risks, good work @patrickwardle This is what real responsible disclosure looks like," he said.
Backing Ormandy's view was Dave Aitel, like Wardle an ex-NSA man and founder of sec firm Immunity. "People think that the responsible and responsible disclosure means that you have some sort of weird responsibility to the vendor when that is in fact not the case :)," he said.
Aitel's views have not changed from those he expressed to this writer 15 years ago, during a detailed interview. Asked about responsible disclosure, his take was: "Look, these problems (vulnerabilities) have existed for years. Multiple people come up with the same discoveries all the time. I am not arrogant enough to think that when I find a serious flaw in an application that is widely used by business, only Dave Aitel can find this out.
"No, I know that dozens of blackhats would have found these same holes already. Look at any security mailing list - Full Disclosure or Bugtraq, for example. The number of people posting under anonymous names is much, much greater than the researchers who disclose their names. The security community is a year or two behind the blackhats.
"All I am doing is making my clients aware of the risk at which they are putting themselves when they use a given application. What's wrong with that?"
An individual who has the handle Bryan Riddles but did not identify his affiliations, spoke out in support of Adkins, saying: "Any company deserves to learn about security vulnerabilities directly from the researcher, not the media. If the researcher didn't first notify the impacted vendor and give them a fair amount of time to respond, that's irresponsible to the community."
But his view was contradicted by an individual who goes by the handle hotelzululima -WASH YOUR DAMN HANDS!- BOFH guild, who said: "What utter crap!!!.. They will dissemble and delay and try to shut the researcher up legally. Been seeing this same scenario for 40 years now. Hasn't ever got much different. [Of} course when your pay cheque depends on you saying the sky is green... that's what lackeys do."
Ormandy then responded with this: "Cool, and what will that response be exactly? 'If you installed anytime in the last three months, you were at risk.... our bad lol!'. People are installing it *now*, how does that help them? It doesn't. You're arguing to hide the risk to help with reputation management."
Asked for his take, former NSA hacker Jake Williams said he had no issue with Wardle exposing details of the vulnerabilities publicly before contacting Zoom.
"The vulns Wardle disclosed piggyback [and are] only possible if an attacker is already local on a machine, meaning they aren't remote code execution vulnerabilities (though there's plenty of concern there with Zoom)," he said.
Williams, who now runs his own security outfit Rendition Infosec, added: "I'd still support him if he dropped RCEs [details of flaws that are exploitable remotely] though – Zoom is being used by a LOT of people right now who don't understand the security implications of the software. His disclosure is forcing them to fix these vulnerabilities in a way that non-public disclosure likely would not.
"FWIW, [for what it's worth] I'm an advocate of full disclosure. The disclosure 'debate' is something that vendors largely engineered to save face."