A key exists for my front door. If I leave the key in the front door it is effectively open. If I leave the key in a locked box, it's more secure no? Sure you can break open that box and extract the key. So if I hide the box, then it's more secure right? Now you have to search for it. It is more secure, but not 100% secure, many people will be deterred. Pen Testing frequently identifies information leakage, so I will have reduce that - reduced but not eliminated.
In short, I'm still taking my key out of the front door, and I'm sure my insurers think my house is secure enough.
The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose.
I would be more worried about those being added in closed source projects.
Take the xz incident, having the code people were able to reverse engineer what was going on.
But on the CrowdStrike incident, while people engineered why it crashed the machines, this could have been someone adding a exploit in a jiatan way to exploit it later.
Many places you commit what you need, check what you need, but if someone had added some xz jiatan level thing... who would know? how long it would go unoticed?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
A key exists for my front door. If I leave the key in the front door it is effectively open. If I leave the key in a locked box, it's more secure no? Sure you can break open that box and extract the key. So if I hide the box, then it's more secure right? Now you have to search for it. It is more secure, but not 100% secure, many people will be deterred. Pen Testing frequently identifies information leakage, so I will have reduce that - reduced but not eliminated.
In short, I'm still taking my key out of the front door, and I'm sure my insurers think my house is secure enough.
I would be more worried about those being added in closed source projects.
Take the xz incident, having the code people were able to reverse engineer what was going on.
But on the CrowdStrike incident, while people engineered why it crashed the machines, this could have been someone adding a exploit in a jiatan way to exploit it later.
Many places you commit what you need, check what you need, but if someone had added some xz jiatan level thing... who would know? how long it would go unoticed?