undefined | Better HN

0 pointswoodruffw1y ago0 comments

> They might have just been showing that this is possible during an assessment. No harm no foul here imo

You're not supposed to leave public artifacts or test on public services during an assessment.

It's possible Cursor asked them to do so, but there's no public indication of this either. That's why I qualified my original comment. However, even if they did ask them to, it's typically not appropriate to use a separate unrelated public service (NPM) to perform the demo.

Source: I've done a handful of security assessments of public packaging indices.

0 comments

guappa1y ago

Comments here seem to indicate that cursor did NOT ask them to (unless of course someone inside the company did and didn't tell the others)

compootr1y ago

if Cursor is secure it shouldn't be a problem for them! (and, according to their comments, it is)

woodruffwOP1y ago

It's not about being a problem or not. It's a basic responsibility when doing security research: maintaining an isolated test environment is table stakes.

mmsc1y ago

How should it have been done differently? How else is the researcher supposed to know if the attack works? "Hey random company, we have no proof it's going to work but we think maybe your system, which we can't see, is vulnerable! Go waste time and check!"

2 more replies

j / k navigate · click thread line to collapse