1. Kalen Johnson (@Kalenjohnson)

    Hey Jeff, I know it wasn’t really “officially” announced other than the security release patch you linked, but isn’t this what Nacin was talking about in his Loopconf talk? https://www.youtube.com/watch?v=yQaRUEwEKxE

    Whether it was better or worse to discuss a security issue like this in a talk at a conference, and not through more official channels, I’m not sure…


  2. J.D. Grimes

    I haven’t had much success communicating about security issues with the team through HackerOne. Lots of dead air. I’ve had much better success contacting them via the security@ email. Even there though, it would be nice if there was a bit more communication. So I second the hope that a Security Czar will improve communication between researchers and the security team.


  3. planetzuda

    If someone will take the reflected XSS and stored XSS issues we’ve found seriously, then we will see this as a step in the right direction.


Comments are closed.

%d bloggers like this: