Vulnerability Reports Are Not Special Anymore
by filippo.io
This page contains highlights I saved while reading Vulnerability Reports Are Not Special Anymore by filippo.io. These quotes were collected using Readwise.
Highlights
Juho Forsén, one of the most prolific reporters of Go security issues, wrote a long interesting comment that makes the argument that instead we should lean harder into trust relationships with individual researchers. It’d certainly be worth it with Juho, in retrospect, but it’s unclear if it would pay off often enough, in the same way that training new contributors who might leave the project in a month or two is not always worth it.
LLMs are as good as almost any security researcher, and anyone can run them. The maintainers can run them. The attackers can run them.
The insight is not scarce and precious anymore. The bottleneck now is not finding potential issues but assessing which ones are real.
A requirement for staying sane while working in public as an open source maintainer is realizing that every issue, PR, and piece of feedback is a present, not an obligation. You can accept it, ignore it, and use it partially or not at all.
Maybe the next task of security teams is getting good at classifying reports rapidly into special and not special buckets.
Ultimately, it all stems from our responsibility to our users. The security researchers are not special, the insight and confidentiality are, and we need them to keep our users safe. Ignoring a security report communicates you don’t care about users’ security, and it’s rightly a reason for shame.
Want more like this? See all articles or get a random quote.