|
|
|
|
|
|
by nkarpov
4747 days ago
|
|
|
This isn't quite fair. The difficulty of writing completely secure software is out of comparison with the difficulty of finding vulnerabilities. First, it's a numbers game. There are order magnitude more people trying to break the product than there are people trying to make it secure (dev team vs. rest of the world?). As a developer you are ALWAYS at a disadvantage. Second, different objectives. As a vulnerability seeker you only have to find one weakness, while as a developer you attempt to write securely everywhere. This just isn't realistic. The best developers can do is try as best they can. There is no indestructible software. Third, the response and fix time is actually good? If anything - 5 days is incredibly good turn around. We don't know what else is going on, what other crazy vulnerability may have been reported at this time or being worked on previously, etc. While security is important it is unrealistic to imagine that the team in charge of these kind of fixes is all that large or has infinite resources. It is hard (impossible) to secure something like Facebook fully. I agree with the other sentiments that if anything their crowdsourcing efforts have been quite successful. If you are unhappy with a 5 day turn around - start looking for another solution. I think you'll be hard pressed to find anything 1) more secure, and 2) with quicker responses to security issues. |
|
|
Yes. Especially since the code wasn't actively being exploited in the wild.