Comment by gwd

Comment by gwd 10 months ago

10 replies

View on Hacker News

On the other hand, this is pretty impressive:

    aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
    aug 25 6:02pm: vulnerability poc executed on hursh's arc account
    aug 25 6:13pm: added to slack channel after details disclosed over encrypted format
    aug 26 9:41pm: vulnerability patched, bounty awarded
    sep 6 7:49pm: cve assigned (CVE-2024-45489)
Four hours from out-of-the-blue initial contact until a fix pushed is pretty good, even given how simple this fix probably was.

EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.

Rygian 10 months ago

Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".

In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.

Reply View 6 replies
  • gwd 10 months ago

    > Reacting fast is the least the vendor could do.

    It's certainly the least a vendor should do, but it's absolutely not the least a vendor could do, as we see the vast majority of vendors do far, far less. It's worth holding people up and saying, "This is how you should be doing it."

    Reply View 3 replies
    • moosedev 10 months ago

      You’re technically correct, given a literal reading of the post you quoted, but the use of “could” there was idiomatic - let me explain:

      There’s a (fairly dated) idiom, “it’s the least I can do”, used when you are offering to do something to make up for a mistake or offense, but the person you hurt says your offer of compensation is unnecessary. For example:

      Situation: Person A bumps into Person B in the cafe, causing B to drop their coffee cup.

      A: I’m so sorry! Let me buy you another coffee.

      B: That’s not necessary - it was an accident, and I had almost finished my drink anyway.

      A: It’s the least I can do!

      B: Oh, thank you so much!

      Buying B a new coffee is not _literally_ the least A could have done - the least A could have done is nothing - but that’s the English idiom. “Can” is acting more like “should” here. You could read it as “It’s the least I can do (if I’m a good person, which I am)”.

      Reply View 2 replies
      • gwd 10 months ago

        Thank you for the explanation -- when I'm speaking foreign languages I appreciate this sort of explanation. But in this case, as a native English speaker, I was well aware of the idiom, and was trying to subvert it. :-)

        The original idiom is said in the first person, and as you say means essentially, "Justice and equity compel me to do this; I don't find myself able to do less".

        GGP was actually using a derivative of the idiom in the second person. What the derivative literally says is, "Justice and equity compel them to do this; they don't find themselves able to do less". But idiomatically, what it actually means is, "Justice and equity ought to compel them to do this; they ought not to find themselves able to do any less".

        Which is true; but it's still the case that the vast majority of companies find themselves very much able to do far less. Justice and equity should compel companies to do this bare minimum, but in the vast majority of cases it doesn't. And so we should still commend those who do find themselves so compelled, and hold them up as an example.

        [some edits]

        Reply View 1 reply
  • darby_nine 10 months ago

    > Reacting fast is the least the vendor could do.

    And yet, so few do. Let's remind ourselves the bar sank into the floor a long time ago.

    Reply View 0 replies
ActionHank 10 months ago

"They put the bandaid over the wound caused by a flagrant disregard for the users privacy, security, and safety."

Phew, glad that's over and will never happen again.

Reply View 0 replies