[bawolff]

If there is no evidence of in the wild exploitation and no reason to think the vulnerability is publicly known, then 2 weeks seems like an acceptable turn around time.

If you start looking at big corps, you will very quickly find instances of fairly severe vulns that sit for months before a fix is issue.

(I'm assuming "started triaging" actually means worked on fixed. If they didnt even respond to reporter for 2 weeks, that is kind of bad)

[pier25]

> no evidence of in the wild exploitation

That's how zero day exploits work. People keep it quiet so they can keep exploiting it.

[bawolff]

Sure, but its also how vulns not currently being exploited works.

Good security is about risk management. For a vuln not thought to be exploited, an extra week or two is a reasonable cost/benefit to ensure a proper job was done fixing it and making sure nobody has to pull an all nighter.

If they sat on it for a year, that would be a different story.

[pier25]

It's impossible to know how many people knew about it before it was reported. It's also trivial to add a header to bypass middleware. Apparently it was there since v12 released in 2021 so god only knows how much damage this has caused already.

And let's not forget there are still many unpatched Next self hosted apps, right now.

I can't believe how anyone can downplay this in any way.