[bangaladore]

Yeah, I was trying to make sense of what was described here.

Is it that (through some mechanism) an actor gained access to F5's sytems, and literally found undisclosed vulnerabilities documented within F5's source control / documentation that affects F5's products?

If so, lol.

[dwd]

A simple search across a codebase for "TODO" will find all sorts of things left undone, but having access to source control and commit messages, who knows what you might find.

"Here be dragons" is also a good search if you're responsible for security hardening legacy code.

[bangaladore]

Yeah, it's unclear if this is something like TODO or an internal Jira tracking bugs.

Either way though, this is not a small company. DoD/Navy utilizes this all over their systems. TODO shouldn't be getting pushed to main, nor should there be security issues swept under the rug for later.

Maybe they disclosed this to some vendors previously, but I doubt.

[tru3_power]

Yeah that’s what I’m understanding is the case. That’s why they’re harping on no known (unreleased) vulns. But it’s kinda funny, a lot of times bugs that fall under this category are constantly shuffled around/not fixed because there is no public pressure to address them.