YubiCo -vs- security researchers

So @Yubico releases an advisory that is:

1. based on our work
2. does not give any credit besides "the researchers"
3. apparently applies a bounty for a replication of our work on March 5 (according to the advisory)https://t.co/mKthHffymf

— Markus Vervier (@marver) June 13, 2018

Yeah, nice credit: "They used a YubiKey NEO because they were unable to access an authenticator over USB HID over WebUSB on the Linux computer they used for testing."

Hey @Yubico: maybe we also used the CCID interface because it allowed to reprogram the Yubikey NEO via WebUSB?

— Markus Vervier (@marver) June 13, 2018

_Even_ if they had reported it before what kind of dick move is it to talk to us, asking about source for the PoC, then never contacting us again and sending in bug reports behind our back. And sending us some Yubico starter set as "thank you".

— Markus Vervier (@marver) June 13, 2018

You acted unprofessionally taking credits for research and work that isn’t yours.

When @marver and me had a private chat with your CSO Jesper Johansson, he was begging us to get the source code of the exploit. We even sent demo videos because the Yubico team COULD NOT REPLICATE https://t.co/H83zie9u7K

— antisnatchor (@antisnatchor) June 14, 2018

You even got 5K USD and donated to a dubious project. And of course if people on twitter wouldn’t let us know that you published such an elite updated on your elite research on your elite devices, the post would have been published WITHOUT ANY CREDITS to us. Classic. Thanks!!!

— antisnatchor (@antisnatchor) June 14, 2018

It is remarkable how @Yubico in one simple vulnerability post has managed to ensure that even fewer people are going to follow the “responsible disclosure” route.

Burn researchers, don’t credit, wrongly analyse their work, back-pedal.#golfclap

— Arrigo Triulzi (@cynicalsecurity) June 14, 2018

It gets even better, we showed this also in our @offensivecon talk and also again in a private call with the @Yubico CISO: "For instance, Yubico was able to use it to obtain a PGP signature from a PGP enabled YubiKey over WebUSB." (from the advisory)..

— Markus Vervier (@marver) June 13, 2018

In light of recent events we are publishing the talk from OffensiveCon 2018 by @marver and @antisnatchor Oh No, Where's FIDO?
A Journey into Novel Web-Technology and U2F Exploitation.https://t.co/RMS7SPiSQ8

— offensivecon (@offensive_con) June 14, 2018

You can attack even more than just U2F with WebUSB. In the video you can see us accessing the SmartCard interface of a YubiKey with PGP via WebUSB. If we would have got a slot at @defcon or @BlackHatEvents this year there would have been a lot more. 😉 https://t.co/yUeJ1TCnVT

— Markus Vervier (@marver) June 14, 2018

I remember times when we'd consider it only as a _joke_ if someone said: "WebUSB"…

Now eagerly awaiting "WebSMM"! https://t.co/NiSHwOWgKx

— Joanna Rutkowska (@rootkovska) March 2, 2018