this post was submitted on 24 Dec 2023
7 points (88.9% liked)
Mastodon
5256 readers
1 users here now
Decentralised and open source social network.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The cool thing about software is that it can be updated, so if someone finds a vulnerability and follows the proper CVE disclosure process, instance admins can just update immediately when it's disclosed.
I guess it's a little trickier because open source software can't really say "fix a vulnerability that hasn't been disclosed yet" in a commit message without disclosing the bug, and instances can't just be silently updated before disclosure, but I'm sure there are other ways to handle CVEs that don't rely on information obfuscation.