Three years ago I blogged about #nuget serving outdated #curl packages.

astraleureka@social.treehouse.systems

@bagder amazed you even got a reply that fast; it took me 6 months for them to acknowledge and patch a local root privilege escalation in Defender for Linux (https://astr.al/notes/2024-11-28_mdatp-privesc/)

enfors@mastodon.social

@totenlegionChris @bagder ... second? That's bold of you to assume.

moritzdietz@mastodon.social

@bagder if you had stayed in the MVP program on the other hand…

agowa338@chaos.social

@bagder

Didn't they fire everyone in the team that was handling the submissions through that email address a few years ago?

xenotrope@bsd.network

@bagder Without going into detail, I once worked for a company that sells a windowing operating system. My team managed e-mail, filtering and archiving, and we escalated a 0-day DNS vulnerability to the relevant dev team for immediate response. It wasn't even in-house DNS software. It was a "here's the BIND patch, go deploy it" situation.

The dev lead told us that if it was important, we should have brought it up in that morning's shiproom meeting.

The vulnerability wasn't announced until after the meeting had ended.

I and a senior ops engineer spent most of that day trying to convey to the senior dev lead that a major security vulnerability was more important than his next two-week ship date.

agowa338@chaos.social

@tjbutt58 @bagder

I once had office 2003 and I'm almost certain that they're still running it to this day. On a Win 2000 server...

devlead@mastodon.social

@bagder For NuGet packages, there's beyond "contact owners" also the Report package option, which goes to NuGet support. But found mileage to vary there, too. If you got a package id, I could try to back-channel it. NuGet gallery have option to bot unlist, mark as deprecated, and security advisory.

totenlegionchris@metalhead.club

@Enfors @bagder I am an thick headed optimist, so I will not bow to reality