I cancelled my coderabbit paid subscription, because it always worries me when a post has to go viral on HN for a company to even acknowledge an issue occurred. Their blogs are clean of any mention of this vulnerability and they don't have any new posts today either.
I understand mistakes happen, but lack of transparency when these happen makes them look bad.
Both articles were published today. It seems to me that the researchers and coderabbit agreed to publish on the same day. This is a common practice when the company decides to disclose at all (disclosure is not required unless customer data was leaked and there's evidence of that, they are choosing to disclose unnecessarily here).
When the security researchers praise the response, it's a good sign tbh.
The early version of the researcher's article didn't have the whole first section where they "appreciate CodeRabbit’s swift action after we reported this security vulnerability" and the subsequent CodeRabbit talking points.
Most security bugs get fixed without any public notice. Unless there was any breach of customer information (and that can be often verified), there are typically no legal requirements. And there's no real benefit to doing it either. Why would you expect it to happen?
> Unless there was any breach of customer information (and that can be often verified), there are typically no legal requirements.
If the company is regulated by the SEC I believe you will find that any “material” breach is reportable after the determination of materiality is reached, since at least 2023.
sophacles|6 months ago
When the security researchers praise the response, it's a good sign tbh.
cube00|6 months ago
The early version of the researcher's article didn't have the whole first section where they "appreciate CodeRabbit’s swift action after we reported this security vulnerability" and the subsequent CodeRabbit talking points.
Refer to the blue paragraphs on the right hand site at https://web.archive.org/web/diff/20250819165333/202508192240...
curuinor|6 months ago
mkeeter|6 months ago
"No manual overrides, no exceptions."
"Our VDP isn't just a bug bounty—it's a security partnership"
acaloiar|6 months ago
The usual "we take full responsibility" platitudes.
frankfrank13|6 months ago
cube00|6 months ago
- within 8 months: published the details after researchers publish it first.
Jap2-0|6 months ago
KingOfCoders|6 months ago
viraptor|6 months ago
smarx007|6 months ago
Not after EU CRA https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act goes into effect
singleshot_|6 months ago
If the company is regulated by the SEC I believe you will find that any “material” breach is reportable after the determination of materiality is reached, since at least 2023.
wredcoll|6 months ago
unknown|6 months ago
[deleted]