zlacker

[parent] [thread] 4 comments
1. panny+(OP)[view] [source] 2025-01-04 10:29:43
I don't like people like this. They do the work of finding a bug, but rather than try to fix it, they grandstand and shout about how bad the thing they obviously enjoy is no good at all. If I find a vulnerability in code I enjoy, I work to fix it and then only after my ironclad fix is applied, do I mention that it existed and that I fixed it so it can never be exploited again.

"Security researchers" IMO are the most cringe and worst examples of community members possible. They do not care about making things better, they only care about their own brand. Selling themselves, and climbing the ladder of embarrassed hard working people who do things for the love of doing.

replies(3): >>Idesmi+Q6 >>evujum+Lq >>int_19+pW
2. Idesmi+Q6[view] [source] 2025-01-04 12:22:13
>>panny+(OP)
Hey. As someone who cries tears of joy when I see the software I support succeed, I share the sentiment.

(I am just trying to push the visibility of your comment ;) )

3. evujum+Lq[view] [source] 2025-01-04 16:08:46
>>panny+(OP)
Exactly. Ideally, we'd all follow the Benzite approach, which is to withhold any and all information from one's peers until a complete analysis has finished, and the best possible remedy to the problem has already been applied. Because how can a miscreant use a vulnerability if it hasn't even been published yet?

As contributors, we enjoy a lot of trust, as we should. That's why it's not a problem if we make seemingly random changes that don't necessarily make a lot of sense, but seem relevant to security, when they actually fix an issue in the code. After all, it's necessary to prevent bad guys from gaining sensitive information, and to keep your colleagues from being unduly bothered with challenges they could possibly help with.

replies(1): >>SAI_Pe+4c4
4. int_19+pW[view] [source] 2025-01-04 20:36:41
>>panny+(OP)
Per the write-up, they only went public with details of this exploit after F-Droid merged the "fix" that didn't actually fix the problem despite having been warned that it will not, and despite being told what they actually need to do to fix it properly.
◧◩
5. SAI_Pe+4c4[view] [source] [discussion] 2025-01-06 12:27:58
>>evujum+Lq
Miscreants have a history of independently discovering vulnerabilities. Software vendors have a history of not fixing security issues. The current coordiated disclosure with a deadline forces vendors to fix their flaws while also allowing users to work around unfixed flaws.
[go to top]