While it was, admittedly, not very nice of me to hand iSkoot a zero-day exploit publicly, on a weekend no less, there was a note on the iSkoot blog today explaining what happened and giving me credit for finding it. I realized my mistake shortly after I made the story public. And to be honest, I should know better, given that I work for a vendor and actually deal with security issues.
There is an ongoing debate among security researches on the subject of full disclosure versus responsible disclosure. Now having fully experienced both sides of the issue, I was conflicted over the weekend. Did I do the right thing in disclosing this publicly before talking to iSkoot about it?
On one hand, spreading the information publicly without going to the vendor first gives end users a heads up that they are at risk. On the other hand, the bad guys now know that this problem exists and can start looking for ways to exploit. But how do we know they didn't already know about this and weren't already using this information for their own personal gain?
On the other hand, had I held onto the information and talked with the vendor first, people wouldn't have panicked unnecessarily and hackers wouldn't have had access to the information needlessly. Of course, then it's possible the time to resolution could have taken longer than it did, putting people's Skype sessions needlessly at risk.
I don't think there's a "right" answer to this, personally, as even minds smarter than me can't agree on this topic. I think everyone involved understood my intentions were good, even though some could argue I should have done this differently. In the future, if I run into another zero-day exploit, I hope to keep this experience in mind.
iSkoot claims they'll have a new version out and pushed to users by Wednesday. Looking forward to seeing it for myself and verifying that I see SSL in those packet traces. ;)