top | item 47095508

(no title)

michaelt | 9 days ago

> If the system is configured to "fail open", and it's something validating access (say anti-fraud),

The problem here isn't the DoS, it's the fail open design.

discuss

If the majority of your customers are good, failing closed will cost more than the fraud during the anti-fraud system's downtime.

prmoustache|8 days ago

If that is the mindset in your company, why even bother looking for vulnerabilities?

everforward|8 days ago

You are really running with scissors there. If anyone with less scrupulous morals notices, you’re an outage away from being in deep, deep shit.

The best case is having your credit card processing fees like quadruple, and the worst case is being in a regulated industry and having to explain to regulators why you knowingly allowed a ton of transactions with 0 due diligence.

lazyasciiart|8 days ago

Until any bad customer learns about the fail-open.

paulddraper|7 days ago

Okay, then the “vulnerability” is de facto simply transitioning the system to an acceptable state.