[yoloClin]

Is there a standard for valid flags? I recently recommended a client use `TODOSECURITY` for todos which had security implications until fixed - I discovered functionality which was implemented before authorisation had been developed, resulting in a codepath which was unintentionally reachable by standard users.

Seemed weird to make up a codeword but I wasn't aware of any standard convention, and visually highlighting high impact issues (w/ the bonus of greppability) seemed like a sane approach in rapid development environments.

[james_s_tayler]

Open a ticket for that straight away and start working on it immediately. Or 3 years later. Whichever actually happens.

[yoloClin]

Yeah, that's probably true. I don't have any visibility over that particular projects ticketing system but I imagine it was never raised given it wasn't fixed until I noticed it.

[sophiebits]

I’d strongly recommend not landing code that has known security problems.

[yoloClin]

It was my job to look for security problems.