[jeremyjh]

We do not know anything about the number of people who could have known about this issue and escalated it, but it does not surprise me at all that there is one primary person who is responsible for it. In fact, if there were not exactly one person who is responsible for the security of the application that would be a different sort of problem as diffuse responsibility can be neglected quite easily in large organizations. Still, at my own company - A LOT of people were focused on the timely remediation of this issue and there was no chance of it being left to one person, even for development environments of internal facing applications.

The scanners do work, we used them at my company and they found this specific vulnerability. It surprised some development teams because there are libraries that use struts without really advertising it, so even applications that don't "use struts" had a transitive dependency on it, it was running in their container and showed up on the lists that were circulating.