Exim, ZDI, and the casualties
Three months later- a reflection
I didn’t want to immediately post about the mess that was the “Exim VS ZDI” to give myself some time to see if I still felt the same way given the initial mess that was created. I still do feel the same way:
Everybody lost.
ZDI Lost
ZDI is supposed to be a professional disclosure organization. Nothing in the mailing list logs shows professionalism. There are most likely private communications that will never see the light of day, but again, this is their business. They are owned, now, by TrendMicro, and most likely have competing interests of being a disclosure organization, and providing value of some sort to Trend.
Security People Lost
A late week disclosure on vulnerabilities with incomplete information is a terrible place to exist. Many questions and few answers just sets people’s time on fire. Thanks for nothing, ZDI. Given the extremely protracted timelines, would it have killed ZDI to hold this until the following Monday or Tuesday? All it does is raise questions around their motivations and the desired end results of “helping” VS “getting press”.
The Exim Project Lost
I feel like the Exim project, and their users, were the biggest losers out of all parties. The project was cavalier with the userbase’s trust in the project and ability to interact with ZDI. They failed to find a way to move forward with ZDI, at the expense of the reputation of the project’s reputation and the trust from the users. In reality, if cPanel was not distributing Exim, there would be far less fanfare around this software.