Re: I'd have some sympathy if at least made an effort
"If Google had just publicly reported a zero-day and warned users to switch routers or shame TP-Link into repsonding, I'd be right behind them"
Ummmm thats exactly what that have done though, 90 day response period, vendor did nothing, not even acknowledge the issue in 3 months, so its fair game to publish, without the 90 day chance to respond it would be irresponsible, but all the google employee did here was follow the industry best practices. If anyone here is irresposible then its tp-link, as its not like google sec research doesn't have a track record of following through on disclosure just ask apple, or MS.... As for not releasing the script how would you deliver a proof of concept with non functional code, nope gotta disclose the how as well and the where and why
I suspect though that tp-link are unable to respond on a technical level though, as they are just rebadgers of cheap reference boards coming out of which ever factory city has entertained the purchasers the best, not that this snafu would cause them a jot of discomfort, their market is for cheap and bundled consumer networking kit, and i very much doubt anyone outside of the networking/security echo chambers would give a toss about this, i.e. imagine the response of joe blogs when told his crappy router sent to him by his cheapest on the market ISP, could be commandeered to launch a DDoS or (doubt it has the computational chops) mine crypto currency, as long as access to farcebook or youtube isnt effected then shits given would be 0
Biting the hand that feeds IT
