|
|
|
|
|
|
by cryptbe
56 days ago
|
|
|
Disclosure: I didn't discover the vulnerability. I wrote the blog post. >The author was able to develop an exploit by prompting an LLM with just the upstream commit Yes, I was able to do this. I believe anyone watching iTerm2's commits would be able to do this too. >but I still think this blog post raises the visibility of the vulnerability. Yes, I wanted to raise the visibility of the vulnerability, and it works! The author of iTerm2 initially didn’t consider it severe enough to warrant an immediate release, but they now seem to have reconsidered. |
|
|
It's funny that we still have the same conversation about disclosure timelines. 18 days is plenty of time, the commit log is out there, etc.
The whole "responsible disclosure" thing is in response to people just publishing 0days, which itself was a response to vendors threatening researchers when vulns were directly reported.