The letter on their site is dumb. It's the complete wrong approach to security. They have an implicit assumption that v5 will be perfect and totally not going to be exploited right out the gate.
They would be better off focusing on securing their existing site. Log EVERYTHING, make sure you don't have any ways to inject SQL, make sure that if anyone can break out server side they can't get to anything useful. Just basic stuff.
That said, they don't owe anyone anything. It's all volunteer, but if you are going to do it do it well.
Other people who are now looking at their code said there are numerous other vulnerabilities. I guess that's why they decided to burn it to the ground and rewrite instead of trying to fix everything.
karmicthreat|5 years ago
They would be better off focusing on securing their existing site. Log EVERYTHING, make sure you don't have any ways to inject SQL, make sure that if anyone can break out server side they can't get to anything useful. Just basic stuff.
That said, they don't owe anyone anything. It's all volunteer, but if you are going to do it do it well.
uyt|5 years ago
Other people who are now looking at their code said there are numerous other vulnerabilities. I guess that's why they decided to burn it to the ground and rewrite instead of trying to fix everything.