Security company faces backlash for waiting 12 months to disclose Palo Alto 0-day

There has been considerable debate within the cybersecurity community about Randori, a security firm that waited one year before disclosing a critical buffer overflow bug it discovered in Palo Alto Networks’ GlobalProtect VPN.

The zero-day — which has a severity rating of 9.8 and was first reported by ZDNet — allows for unauthenticated, remote code execution on vulnerable installations of the product.

The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17, and Randori said it found numerous vulnerable instances exposed on internet-facing assets, in excess of 70,000 assets. It is used by a number of Fortune 500 companies and other global enterprises.

Read more…
Source: ZDNet