undefined | Better HN

0 pointstjarratt15y ago0 comments

     |In my opinion, that is how a "good", company would react.

This is (more or less) how Github has reacted to security issues in the past. However, at the moment this seems to be a fairly small exploit, that wasn't aggressively used by any would-be exploiters. I definitely don't think github should put up a notice for this.

Would you really want to be alerted every time a website you used closed a minor security hole, that had possibly never even affected anyone? They absolutely should, if any user information was leaked, or if there was downtime involved, but you honestly do not need to keep informing users about this sort of mundane security update. At best, I would suggest it go on their blog.

Not reporting "oh we found an xss hole that maybe one or two people had used before." is NOT a disappointment.

0 comments

2 comments · 2 top-level

bl4k15y ago

> that wasn't aggressively used by any would-be exploiters.

Doesn't matter. A response shouldn't be measured according to how widely a security hole was exploited, it should always be responded to with full information and transparency.

mike-cardwell15y ago

I expect good software developers to report all buffer overflows that they fix, regardless of whether or not they know of any active exploits. So yes, I expect good website admins to do the same with XSS.

j / k navigate · click thread line to collapse