• Kogasa@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    10 months ago

    Frivolous CVEs aren’t a good thing for security. This bug was a possible DOS (not e.g. a privilege escalation) in a disabled-by-default experimental feature. It wasn’t a security issue and should have been fixed with a patch instead of raising a false alarm and damaging trust.

    • surewhynotlem@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      10 months ago

      It is WAY better to over report than under report. I don’t want vendors to have a lot of ability to say “nope that’s not a security problem, sweep it under the rug”.

          • Kogasa@programming.dev
            link
            fedilink
            English
            arrow-up
            0
            ·
            10 months ago

            “What if the boy who cried wolf got lucky and didn’t get eaten in the end”? Seems to have missed the point of the parable a bit.

            • SexyVetra@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              10 months ago

              “A liar who lies repeatedly won’t be believed” is definitely equivalent to “A company conservatively warned that one of their products was dangerous in some specific situations.”

              Hanging out with you sounds really fun.

              • Kogasa@programming.dev
                link
                fedilink
                English
                arrow-up
                0
                ·
                10 months ago

                That’s… not the point either. The point is that “reporting false positives isn’t a bad thing” is only true up to a point. The discussion is then “is this before or after that point.” Which, given the context of the bug, isn’t really a given. But I don’t want to have that discussion with you anymore because you’re annoying.

                • SexyVetra@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  10 months ago

                  I am annoying, but something being low-risk and not effecting most customers doesn’t make it a “false positive”.