Posted on May 14, 2019 by JohnThe Art of Responding to Advisories, Responsible Patching, and Transparency with Users Recently, I communicated 3 serious security vulnerabilities that affected major a Java-based CMS that powers. I sent a message via e-mail, and they quickly released a “hot fix” that was merely hiding the vulnerable files behind their authentication system. The reason this is not an effective way to protect your digital applications is because an authenticated user is the highest-profile target in a digital attack. If someone were to exploit these vulnerabilities, it would most likely be through a spear-phishing scheme. What was most surprising was that none of these 3 security vulnerabilities were addressed in their change log, and the most recent post that stated “vulnerability” was a full major version ago. So, what does a security researcher do at this point? Let’s try getting them on the phone and scheduling a time to work through proper remediation.