[sumitgt]

> We don’t discuss all of our security processes and technologies in specific detail for what should be obvious reasons, but here is a high-level overview.

Isn't that the opposite of good practice? You shouldn't rely on obscurity. It's better to have the security processes out in the open so that it can be audited and flaws pointed out.

[siler]

Yeah, I found this an important aspect of the article. I don't know anything about the culture at NPM, but this feels related to the mismanagement of communication with consumers/the public about the incident itself. i.e., being secretive for no good reason.

[detaro]

Discussing anti-spam/abuse systems in specific detail would be fairly unusual, can you name any larger operation that does?

There's a lot of questions open that are non-specific to that though, so I'd agree that they could be sharing more.

[xkcd-sucks]

I think it's

> We don’t discuss all of our security processes and technologies [with each other internally, so dumb stuff keeps happening]