Hacker News new | ask | show | jobs
by vjeux 1268 days ago
I’m the maintainer of many high profile repositories in JavaScript land (react, react native, prettier, excalidraw…) and the following paragraph rings true:

“But there is no public evidence whatsoever that these instances warrant the noise, make-work, and consequent fatigue that their reports induce.”

All the vulnerabilities ever reported through this channel were regex dos and were absolutely not real security issues. Most of the times they were in code paths that were not actually used which makes matter worse.

Because a bunch of companies are hooking up their security processes with those reports, it leads to situations where people are alarmed about those non issues. It generates truly useless work to the maintainer and put them in situation where they have to justify that the report is completely bogus even though it has a “CVE” attached to it.
1 comments
breadchris 1267 days ago
Until three years ago, the last time I touched javascript was when jquery was all the rage. I had been a security engineer for my whole career, but recently ive been building a security product (with js, obviously) and it has been blowing my mind the state of everything.

Most security products are just lighter fluid on the tire fire that is "vulnerability management" and has gotten to the point (as the post pointed out) where reports are doing more harm than good.

I had seen something like this coming since when I was starting out in security the meritocracy surrounding collecting CVEs was very real for vuln researchers. It isn't their fault, it is just really difficult to prove your worth as someone who is seen as a cost center to a company. Additionally, if you don't actually find a vulnerability, are you a bad security researcher? Is the app actually secure? There is a lot that is left on the table if you can't get that CVE number and proving your worth to the security community becomes challenging.

My company and I are all security experts spending all of our time figuring out how to flip the script on current reporting and response practices. If you (vjeux) or anyone else have any thoughts, ideas, or rants you would like to share, we have a discord https://discord.gg/awx66qBW but if you aren't about it, you could shoot me an email: chris@lunasec.io.

Would love to hear about your war stories from the trenches!

link