They explained it themselves - there's no evidence of abuse/exploitation.
They literally have no legal requirement to even tell you as much as they did.
You should be commending them for filling you in at all.
As someone who works in the reputation management sector, fulling legal requirements is crucial in establishing a presence in key markets. However, oversharing of internal information that's not required by legal requirements can lead to unnecessary reputation damage, which would lead to a decrease in value for key stakeholders.
I think many engineers often overlook the business implication of disclosing security issues, as it would impact multiple business units as well as the board's stance on security, resource allocation, and potentially the stock price too.
>A restaurant has no legal requirement to make this food tasty
Food is a core deliverable for a restaurant, whereas information on a potential breach is not for a SaaS service unless it is legally required.
Since almost every popular tech company is a quasi monopoly, they use this "fulfilling legal requirements" strategy to abuse the market providing overpriced services with bad quality.
Unfortunately, people got used to this practice and gladly accept when such companies fulfill all their legal obligations, even when this hurt them or their business.
> A restaurant has no legal requirement to make this food tasty
Somewhat tangential but I'm not even sure that's entirely true. It gets all sorts of tricky due to the subjectivity, but surely fit-for-purpose laws apply here? I'd be really surprised if a five star restaurant selling $500 tasteless gruel with chunks wouldn't manage to get into trouble if they refused refunds.
> ... we were unable to determine whether this bug was ever exploited.
> ...
> Due to the variety of GitHub Apps, their possible scopes, and the repositories they may have been given access to, we are unable to advise on any potential impacts as each customer's situation will be unique.
That's true, but feels like these are always judgment calls. We can always armchair quarterback their judgment calls, but none of us have the full info. At least GH is sharing this info, which is a good call for trust building IMO.
That's not fully Github's choice to make. They made a judgement call based on seemingly incomplete evidence, and have different incentives that everyone else.
Repository owners may well have a different level of acceptable risk or legal obligations over the integrity of their source code. For example, if I was maintaining security software or a popular package, it would be entirely appropriate to stop everything and look for abuse. Waiting three months makes that harder.
This is only a judgment call because they have no idea. The fact that they have no idea whether your organization's data was leaked is exactly what people here are complaining about.
I would be commending them if this notice went out March 3 after they had remediated the problem and were aware that they had no logs to determine whether there was abuse.
This is incorrect you should re-read the post here cause I think you misunderstood the implication. They lacked the logging at the time to know what apps were impacted and the extent to which customers were compromised by this. They are legally obligated to disclose security risks like this which is why they did. You should consider setting a higher bar for your commendations.
>They explained it themselves - there's no evidence of abuse/exploitation. They literally have no legal requirement to even tell you as much as they did. You should be commending them for filling you in at all.
Do they keep logs, or is that also not a legal requirement? (See how these things can combine?)
Folks literally should be mindful no oneis obligated to do business with you if they think you're untrustworthy.
They’re obviously capable of doing more, and they’re in a competitive market, so I wholeheartedly support the freedom of dissatisfied customers to publicly shame them. Either they will learn from this and do better in future, or the community will enrich their competitors at Microsoft’s expense. And that is how we can have nice things rather than the mere minimum that our corporate overlords are “legally required” to provide us with!
Is ‘fulfilling legal requirements’ all you look for in a business relationship?
A restaurant has no legal requirement to make this food tasty but it’s what I’m looking for when choosing where to go.