[agosta]

Mintlify had a blacklist in place to not allow them to do this with most file types. Someone failed to add SVG to it. It's not like they weren't thinking about security. The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org. But even a competent person can make a crucial mistake.

[sofixa]

> It's not like they weren't thinking about security

https://kibty.town/blog/mintlify/

The first CVE here definitely sounds like they absolutely weren't thinking care security.

[pmontra]

A whitelist is safer than a blacklist. Unfortunately you risk losing those customers that won't be able to load their media, won't contact support, will use a different service.

[anonymous908213]

  The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org.

This statement could not be further from the truth. Your organization itself is completely incompetent if one ignorant employee can compromise it. The "swiss cheese" safety memetic is widely understood and basically common sense; in an actually competent organization, no single person has sole responsibility for success or failure of a process, and it takes individual failures at multiple levels to result in process failure.

[esseph]

I agree with you in theory.

In practice, I've never known a single organization to hit that bar. Ever.