I appreciate the disclosure and the transparency, and I sympathize with the incident. However, I don't see key steps in this post that would make me trust the survey going forward. To be blunt, the fact that you mistook a 2-way encryption for a hash makes me think that you do not have the security expertise to be responsible for this data.
The "Steps Taken" section still talks about mitigating the encryption mechanism. Is that the same 2-way encryption that caused the issue? Why isn't the first step to remove the encryption mechanism and replace it with a 1-way hash? If you still need to continue using keys, is there a better option for key management than simply making the repo private? The "Going Forward" section doesn't mention security improvements at all.
Before I'd trust the surveys again, I'd like to see you talk about third-party security audits, and how you're going to verify security-related contributions going forward.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I appreciate the disclosure and the transparency, and I sympathize with the incident. However, I don't see key steps in this post that would make me trust the survey going forward. To be blunt, the fact that you mistook a 2-way encryption for a hash makes me think that you do not have the security expertise to be responsible for this data.
The "Steps Taken" section still talks about mitigating the encryption mechanism. Is that the same 2-way encryption that caused the issue? Why isn't the first step to remove the encryption mechanism and replace it with a 1-way hash? If you still need to continue using keys, is there a better option for key management than simply making the repo private? The "Going Forward" section doesn't mention security improvements at all.
Before I'd trust the surveys again, I'd like to see you talk about third-party security audits, and how you're going to verify security-related contributions going forward.