Fediverse developer, when someone reports a security...

All posts Evan's posts Post Back to profile

Fediverse developer, when someone reports a security issue with your software, there is one and only one correct course of action.

Say thank you. Prioritize an immediate fix. Publish a hot patch version for all applicable major versions within hours or days. Publicly acknowledge the report.

Avoid minimisation, whataboutism, personal attacks, and complaining about the work involved.

Like 4 Aug 2023 at 13:40 | Open on cosocial.ca

3 comments

Stefan Bohacek

@evan Typically you have to pay for things like QA, user research, security audits, etc.

And most people don't even bother telling you when they encounter issues with your website or app, they just move on.

People really need to learn to be humble and appreciate when a stranger takes the time out of their day just to help them improve their work.

4 Aug 2023 at 13:50 | Open on stefanbohacek.online

Mark Gardner

@evan F̶e̶d̶i̶v̶e̶r̶s̶e̶ developers, when someone reports a #security issue with your software, there is one and only one correct course of action…

fixed it for you

4 Aug 2023 at 13:57 | Open on social.sdf.org

gabbo wafrn guy

@evan@cosocial.ca an old user I banned here for being a transphobe. he sent me an email and I had to rotate the keys of all the users. the software still was not being used anywhere else. fixed the issue and acknowledged the issue

4 Aug 2023 at 14:00 | Open on app.wafrn.net

Go Up