Hacker News new | ask | show | jobs
by weinzierl 57 days ago
"This plan works by letting software supply chain companies find security issues in new releases."

If it was that easy we'd simply find all vulnerabilities before the release. If the supply chain companies can run the scanners you can (and should) run them too. Even if we assume there is more to it, it would make sense to let those companies do the work before GA.

But it is not that easy. The true value comes from many eye balls and then we are back at cooldowns being some eye balls grifting others.
1 comments
codebje 57 days ago
Consumers of dependencies aren't necessarily - or, I would argue, even typically - eyeballing them. The eye ballers in practice seem to mostly be hackers. Skipping the cooldown doesn't mean you're contributing eyes, it means you're volunteering to help the news of how many victims the attack swept up bigger.

No-one is hurt by having the cooldown. Hackers could choose to also have a cooldown, but must balance the risk of competing groups exploiting vulnerabilities first against the reward of a bigger pool of victims to exploit, and without collusion that still favours early exploits over held ones.

link
weinzierl 57 days ago
"Consumers of dependencies aren't necessarily - or, I would argue, even typically - eyeballing them."

No, but they are the reason software supply chain companies look into the releases. Cool downs very well shift the priorities and therefore hurt the ones not doing them, or doing shorter periods.

link