More thoughts on vulnerabilities and misaligned incentives

from blog ENOSUCHBLOG, | ↗ original
About 15 months ago, I posted a rant about misaligned incentives in the vulnerability triage and classification ecosystem1, with particular attention given to low-impact, high-noise categories like ReDoS. …and nascent for-profit industry. ↩
This is a short summary. ↗ Open original to view full content

Related

Skin in the Game
Armin Ronacher's Thoughts and Writings | original ↗
What constitutes a vulnerability?
Without boats, dreams dry up | original ↗
A few more remarks on reference-counting and leaks
baby steps | original ↗
Let's blame the dev who pressed "Deploy"
yield code(); | original ↗
Exploiting Directory Traversal to View Customer Credit Card Information on Yahoo's Small Business Platform
Blog | Sam Curry | original ↗
Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts
Blog | Sam Curry | original ↗
A couple ideas that went nowhere
Push the Red Button | original ↗
on the xz backdoor
erock's devlog | original ↗
How Not To Run A Vulnerability Disclosure Program
Jeffrey Paul | original ↗
Skin in the Game
Armin Ronacher's Thoughts and Writings | original ↗

More from ENOSUCHBLOG

Introducing zizmor: now you can have beautiful clean workflows
27 Oct 2024 | original ↗

This is an announcement for zizmor, a new tool for finding security issues in GitHub Actions setups. You can run it on one or more workflow definitions1, and it’ll emit cargo-style diagnostics, SARIF, or JSON as you please. Support for custom actions (e.g. action.yml within actions/checkout or similar) is planned, but not implemented yet. ↩

YAML feature extraction with yamlpath
10 Sept 2024 | original ↗

Another Rust crate announcement: this time I’m announcing yamlpath, a small library for format-preserving YAML feature extraction.

Tracking and publishing my TILs
18 Aug 2024 | original ↗

Mini-post.

Approximating sum types in Python with Pydantic
12 Aug 2024 | original ↗

TL;DR: You can use Pydantic’s support for tagged unions to approximate sum types in Python; go right to Sum types in Python (and onwards) to see how it’s done.

Python wheel filenames have no canonical form
12 Jun 2024 | original ↗

This short(-ish) post is a successor to 2022’s a most vexing parse, but for Python packaging. I discovered it the other day while doing it what I normally do: mucking through the guts of Python packaging.