For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/
-
RE: https://infosec.exchange/@jvoisin/116488420408417722
For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/
My personal thought is that I appreciate, as a defender, knowing this information about a project having a systematic lack of security.
-
RE: https://infosec.exchange/@jvoisin/116488420408417722
For @ifin folks, I started a discussion about this on the Discourse here: https://discourse.ifin.network/t/carrot-disclosure-forgejo/
My personal thought is that I appreciate, as a defender, knowing this information about a project having a systematic lack of security.
-
-
@kouhai @oilheap @ifin TY! I'm a little surprised by the extreme negative reactions to this TBH. From the perspective of being a Forgejo or other OSS maintainer it sucks to see this. But at the end of the day attackers don't care and aren't going to tell you in this way, or any way, that you have serious issues
-
@kouhai @oilheap @ifin TY! I'm a little surprised by the extreme negative reactions to this TBH. From the perspective of being a Forgejo or other OSS maintainer it sucks to see this. But at the end of the day attackers don't care and aren't going to tell you in this way, or any way, that you have serious issues
@cxiao @kouhai I can understand the negative reaction; telling a well-respected and very open source project “you have serious issues but I’m not going to tell you what they actually are” without any attempt to actually flag the issues to them is… not great? it’s not like this is a company that can bring in someone to audit the code, it’s an open source project that would love to fix the issues but is resource constrained by virtue of being an open source project
it’s an inherently aggressive approach to disclosure and it doesn’t come off as “helpful” nearly as much as “condescending”, and while that’s one thing to direct at a corporation…
-
@kouhai @oilheap @ifin TY! I'm a little surprised by the extreme negative reactions to this TBH. From the perspective of being a Forgejo or other OSS maintainer it sucks to see this. But at the end of the day attackers don't care and aren't going to tell you in this way, or any way, that you have serious issues
@cxiao @oilheap @ifin one of the objections I’ve seen is “carrot disclosure doesn’t work when you’re punching downwards or sideways”/ “what additional resources can a volunteer-based project apply?”
(not focusing on the other objections, because I don’t want to retread the productive discussion from earlier)
-
@kouhai @oilheap @ifin TY! I'm a little surprised by the extreme negative reactions to this TBH. From the perspective of being a Forgejo or other OSS maintainer it sucks to see this. But at the end of the day attackers don't care and aren't going to tell you in this way, or any way, that you have serious issues
-
R relay@relay.infosec.exchange shared this topic
