[tppiotrowski]

“We had an insecure vulnerability that we knew about for five years," the second former U.S.-based employee said. "That's unacceptable. I mean, we knew about it."

In my experience, knowing about a vulnerability and knowing how to fix it are magnitudes of effort apart. Main reason I saw companies avoid fixing vulnerabilities was third party libraries. Third party libraries had switched to a new version of JDK or Node and upgrading production environments carried a lot of risk or would break other libraries. Companies stayed on old versions because they “worked” and eventually were unable to pick up security fixes. It’s one big advantage that startups have over the behemoths.

Upgrading dependencies on products with millions of users without breaking anything is one of the most thrilling and rewarding things I’ve ever done.