Cloudflare threatened Tavis Ormandy

[attritionorg]

Reference: https://twitter.com/taviso/status/1566077115992133634 And CEO's response: https://twitter.com/eastdakota/status/1566160152684011520

[ItsIgnacioPortal]

I have no idea what @taviso is talking about. I've confirmed with our public policy and legal teams we never talked to the FTC about any of his work specifically or any work from any team at Google. I will always be appreciative of Tavis finding and alerting us to Cloudbleed. Sounds like it was a team member not on our public policy or legal team who, on their own, said something to someone at the FTC they had a personal relationship with. That person was not authorized to speak on Cloudflare's behalf and I will address. Thanks for letting us know. Your Tweet was the first I'd ever heard about it. And I will repeat: I appreciate you finding and alerting us to Cloudbleed.

Sounds like it's been cleared up. AFAIK, this repo is for organization-supported researcher harrasment. This was just some guy that acted on his own. Cloudflare is a big company, things like this are bound to happen

Also, taviso didn't share any sources that backed his claims, so that's to be taken with a grain of salt.

[attritionorg]

Please see the second Tweet I linked, that has a bit more details. From what I read, it happened, but not with authorization of the parties that should have been involved (CEO, legal, etc).

I think because a threat happened, it is important to include here. BUT, I think it equally important to highlight all the rest to show "follow proper procedure in your org before you do this" as a lessons learned.

Finally, Taviso has a stellar reputation in both technical research, his side projects (e.g. preping), and among his peers. Given what he said, vs what the CEO said, it sounds like a very plausible story especially given "CLoudflare is a big company" and this seems to have happened outside of proper channels.