In spectacular fail, Adobe security team posts private PGP key on blog

Ars Technica 2017-09-22

Enlarge / Um, yes, that was Adobe PSIRT's private PGP key on their website. Best get their new public key.

Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:

Oh shit Adobe pic.twitter.com/7rDL3LWVVz

— Juho Nurminen (@jupenur) September 22, 2017

Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account.

Read 4 remaining paragraphs | Comments