Kudos for getting so much done in the 2-3 minutes between when I clicked “Tweet” and submitted the issue (which I will note you acknowledged, seconds later - as can be sen from the github link).
I will kindly ask you to remove the inaccuracies in your previous tweet. You are entitled to you opinion on security disclosure, but you explicitly stated that I did not contact you at all - which is a lie, as I have demonstrated.
Also, I will note that I reported several other security issues in the full node version of Zecwallet prior to this incident via github issues - i.e a public disclosure process - at no time was I told to report these via different mechanisms.
But let’s set aside, those quibbles and allow me to make a broader point.
I tweeted to warn people that you had released a new version of the software with a critical MITM vulnerability. The bug was so severe and so blatant the only action users could take to stay safe is to not use zecwallet. The software had been plugged by high profile accounts earlier in the day and so both the chance of compromise and the number of users likely to be impacted were high.
There has been no public postmortem detailing how software with such a critical, trivially exploitable issue was released to users, and as far as I can tell there have been few changes to prevent such mistakes from happening again. I would still recommend people not use zecwallet unless they understand those risks.
Further, and more generally, the Zecwallet lite website advertises it as “fully private” despite that being impossible right now. There is also no indication of previous security issues listed on there to inform users.
Whatever you may think about the way I disclosed the MITM vuln, the way zecwallet lite was rushed out with that critical vulnerability was, and many of the continued practices in promoting the wallet are, irresponsible.
For the record, there are a lot of vendors who dislike my approach to life, who dislike me informing people who use their systems about the risks they are subjecting those people to. I don’t lose sleep over it.