> The first article is concerning an XSS flaw that was discovered in a pre-release beta version of ProtonMail 5 years ago, prior to public launch.
It's not about the vulnerabilities themselves, but the fact, that the existing users were not informed about them at all when they were discovered:
"The reason I posted the video was because they did not communicate the security problems to their users – and did not even notify me when the bugs were patched," Roth told The Register.
"I believe that for a service that is used for 'secure communication' trust is very important – and if they hide vulnerabilities from their users I can not trust them."
The researcher said he had reported five vulnerabilities including a cross-site request forgery bug that apparently allowed an attacker to change victims' email signatures, further opening them to malicious cross-site scripts.
> As for the second one, everybody can agree that criminals are bad, and we do work with law enforcement to bring them to justice
Your company publicly bragged about engaging in a criminal activity, and then claimed that the journalist's report was based on "unsubstantiated rumors".
> The third allegation has also been proven false time and time again. Mozilla checked ProtonVPN by meeting with the team in Geneva.
As far as I am aware, Mozilla did nothing to visit the office in Vilnius, Lithuania, where ProtonVPN was actually being developed.
> On the other hand, there is ample evidence that there are shady VPN companies engaged in a large scale disinformation campaign against ProtonVPN.
I am not sure if any of it was really "disinformation", but it doesn't surprise me, that some of your competitors might have used it as an opportunity to enrich themselves, given how shady the industry of VPN providers is.
Actually, I wouldn't be surprised if Luminati Networks was behind this attack, since they compete with Tesonet directly as both, a free VPN provider, and as a data mining company.
> Who is more likely to be telling the truth? 500 anonymous bots on Twitter, or Mozilla, the EU, and the state of Geneva who have all verified the company?
I see you again and again trying to attach the "Proton" brand to the entities that people consider of high trust and integrity – such as "Switzerland", "Geneva", "EU", "Mozilla" – when, in fact, the real values of your company seem to be very far away from that.
You clearly have a grudge against us, so this is not going to be a meaningful discussion, but we do want to point out that this is entirely unsubstantiated:
> As far as I am aware, Mozilla did nothing to visit the office in Vilnius, Lithuania, where ProtonVPN was actually being developed.
Check on Linkedin. Proton devs are distributed across all our offices (Geneva, Zurich, Skopje, Prague, Vilnius, remote). Proton management is in Geneva, where we met Mozilla.
> Proton management is in Geneva, where we met Mozilla.
I have pointed this out, because a picture with Mozilla representatives in Geneva office was used as a proof that ProtonMail didn't outsource its free VPN service to a data mining company in Eastern Europe – and only used that company as "an office space provider" – when, in fact, Mozilla representatives never went there to verify it themselves.
It's not about the vulnerabilities themselves, but the fact, that the existing users were not informed about them at all when they were discovered:
"The reason I posted the video was because they did not communicate the security problems to their users – and did not even notify me when the bugs were patched," Roth told The Register.
"I believe that for a service that is used for 'secure communication' trust is very important – and if they hide vulnerabilities from their users I can not trust them."
The researcher said he had reported five vulnerabilities including a cross-site request forgery bug that apparently allowed an attacker to change victims' email signatures, further opening them to malicious cross-site scripts.
> As for the second one, everybody can agree that criminals are bad, and we do work with law enforcement to bring them to justice
Your company publicly bragged about engaging in a criminal activity, and then claimed that the journalist's report was based on "unsubstantiated rumors".
> The third allegation has also been proven false time and time again. Mozilla checked ProtonVPN by meeting with the team in Geneva.
As far as I am aware, Mozilla did nothing to visit the office in Vilnius, Lithuania, where ProtonVPN was actually being developed.
> On the other hand, there is ample evidence that there are shady VPN companies engaged in a large scale disinformation campaign against ProtonVPN.
I am not sure if any of it was really "disinformation", but it doesn't surprise me, that some of your competitors might have used it as an opportunity to enrich themselves, given how shady the industry of VPN providers is.
Actually, I wouldn't be surprised if Luminati Networks was behind this attack, since they compete with Tesonet directly as both, a free VPN provider, and as a data mining company.
> Who is more likely to be telling the truth? 500 anonymous bots on Twitter, or Mozilla, the EU, and the state of Geneva who have all verified the company?
I see you again and again trying to attach the "Proton" brand to the entities that people consider of high trust and integrity – such as "Switzerland", "Geneva", "EU", "Mozilla" – when, in fact, the real values of your company seem to be very far away from that.