Re: Name and shame
I get the private heads-up, then a public announcement of the general state of the world, and, eventual making the list of apps considered public.
Alternatively, skip the last part and do a follow-up, unannounced and naming names, some time after the public annnouncement of the general lay of things. No possibility of interpreting that as a shake-down, or as a threat.
However, the convention of 30 days is a courtesy and a mis-guided convenience to businesses (banks, in this case)--particularly if it becomes more and more entrenched, as that will give businesses ample opportunity to scramble to protect what really matters: their public image. In the publishing regime under consideration, there isn't any in-built incentive for businesses to do more than foist the security assessment on someone else (researchers, for example), and the costs onto users/clients. That incentive is necessary if there's any expectation that businesses will become otherwise than simply reactive to security issues brought to their attention from without. The unannounced that-was-then-and-this-is-now assessment might serve that purpose, if it--instead--becomes the convention.
Biting the hand that feeds IT
