|
|
|
|
|
|
by zooko_LeastAuth
4507 days ago
|
|
|
I just posted a comment on the SpiderOak blog about how I was rather startled when I found out that they had waited until after we did the security audit before they informed us that they knew about bugs going in: https://spideroak.com/blog/20140220090004-responsibly-bringi... However, after I got over my surprise, I started thinking that this was a really good move on SpiderOak's part. If you hire a security auditor, it might be hard for you to tell whether you're getting value for your money. Leaving known bugs in the code and then observing whether the auditors find them is potentially a good way to overcome that. Mind you: this will make life harder for we in the security auditing industry if this practice takes off. ☺ |
|
|