Security Theater: Vendors Denying Obvious Vulnerabilities
Two separate security threads hit on the same day, and they share a structural problem. The VSCode GitHub token theft bug was minimized by Microsoft's security team until public disclosure forced action. Separately, a researcher demonstrated hacking a PC through its speakers, and received an email from SingCERT saying the vendor 'does not consider this to be a vulnerability, as it does not present a cybersecurity risk.' The specific exploit: wirelessly writing custom firmware to someone else's device.
This is not a coincidence. The pattern is vendors protecting brand reputation over user security, and researchers burning time trying to move unmovable bureaucracies. HN commenters are openly frustrated that companies 'stick their head in the sand when confronted with serious security issues.'
The academic AI worm research from U of T adds another layer: as AI gets embedded in more devices and pipelines, the attack surface expands, and the vendor response problem becomes more dangerous, not less.
So what?
As a founder, your security posture includes every third-party tool your stack depends on, and you cannot assume vendors will disclose or patch quickly. Threat modeling needs to account for known unpatched vulnerabilities sitting in vendor backlogs. If you find something, set a public disclosure deadline from day one.