The FBI sleeps when libraries burn

  • Ashelyn
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 months ago

    90 days to cycle private tokens/keys?

    • Zagorath@aussie.zone
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      90 days is just the standard timeframe for responsible disclosure. And normally that’s just a baseline with additional time being given if there’s genuine communication going on and signs they’re addressing the problem.

      • ITGuyLevi@programming.dev
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 months ago

        90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.

        • Zagorath@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          I agree in general, but

          Maybe I’m over simplifying it though, I don’t know how their org operates.

          This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it’s a CYA move at worst.