Responsible Disclosure vs Client Confidentiality

As I was looking through my Twitter feed at lunch, I ran across the following article by noted security blogger, Brian Krebs.  The story tells about a vendor (in particular a core vendor in the Fiserv family) who had made an announcement to its clients that going past Adobe 8.1 is currently not recommended as it breaks functionality.

First of all, it probably is not the brightest thing for the vendor to recommend an obsolete version of Adobe, especially with all the vulnerabilities and compromises because of Acrobat, and should have been working diligently over the past year to repair that issue.  However, the announcement came over a client only secured web site.  This was information that was being relayed to the client institutions so they can make the proper risk assessment for the organization, and weigh whether or not that the affected optional enhancement that relies on older versions of Adobe is needed for business purposes.

As a user of the software (though not affected by the vulnerability), we weighed the need of the optional software and found a workaround that does not expose us to a known vulnerability (but given time, there will be more).  It is disappointing, though, in the credit union arena that a client would expose confidential information that affects up to 300 other credit unions.  An intelligent black hat can take the information that was shared with Brian Krebs and information filed quarterly with the federal regulators to target specific institutions with Adobe PDF vulnerabilites.  Credit unions oftentimes do not have the security expertise and could have a higher risk than most financial institutions.   If you are going to shame a vendor (especially one you pay tens of thousands a year for support from them), find a better way without putting hundreds of thousands of credit union members at risk.