I'm guessing, as would be typical of many companies, it ended up on a backlog as low priority, survived a few Jira reorganisations and corporate restructuring, before eventually being noticed and fixed.
They're a small company with an even smaller engineering team, I think 13 devs or something like that. I would imagine either everyone knows about it immediately or they are too overloaded with work that it gets deprioritised into oblivion after a quick first look.
Harvest Security Team here. I addressed this on another comment, but basically we were never able to reproduce and there was no explicit fix, but it stayed on Triage state when it should've been Closed, due to a human error on my side.
politelemon|2 years ago
bonzini|2 years ago
config_yml|2 years ago
jorge_leria|2 years ago