I disagree. Who knew when or if Drobo would respond to the OP.
Damned if you do and damned if you don’t… at the very least you benefited immediately from the info, vs. when Drobo chose to release a fix/response.
That’s where the whole discreet thing comes into play. I don’t believe in the “damned if you do and damned if you don’t” scenario either. How is he damned by discreetly handling a bug?
Let’s look at the four possible scenarios. The OP contacting drobo and their reaction.
Scenario 1: The OP shouts out the bug to world and Drobo tells him to take a hike. I can’t see this happening but the result would be a known bug that Drobo refuses to fix.
Scenario 2: The OP shouts the bug out to the world and Drobo fixes it. This is what happened but the bug was and is known to the world. The bug still exists and is easily exploited until all known installations obtain the new uninstall program.
Scenario 3: The OP discreetly tells Drobo and they refuse to fix the bug. The OP still has the option to “go public” if drobo doesn’t fix the bug but the bug isn’t known. While that isn’t “security” is it still better than a known bug.
Scenario 4: The OP discreetly tells Drobo about the bug and Drobo immediately fixes the code and rolls out new installers and uninstallers. The bug isn’t publicly known and new software is rolled out. Drobo can then notify their customers about the bug if they think that is best.
At any point the OP can always go public with the bug and “shame” Drobo to fix the problem or even cost them business by scaring off new customers if Drobo is slow to react or simply refuses to fix the bug.
But the way to handle a bug, especially one that exposes the password, is to contact support directly and give them a chance to do the right thing. Look over Drobo’s support history. Does anyone think they wouldn’t? Does anyone think Drobo would have reacted differently if he had contacted them directly? Did Drobo even delete the thread? Personally, I think they should have. Again, if they won’t fix the problem, the OP can always then go public.
I certainly don’t believe in security through obscurity but I do believe in giving companies the chance to fix problems and not going public immediately with bugs unless that company refuses to fix the problem.