Typical reasonable disclosure is in terms months usually, not "nearly a week". OP is being irresponsible at best by posting this before giving time to the developers to see, and act on it.
Dusty
joined 2 years ago
Thank you, I was going to write one up tonight for it. You emailed security @ correct? https://github.com/LemmyNet/lemmy/security/policy
OP doesn't seem interested in that. They state they "sent a vulnerability a week ago" and didn't hear back so they are being completely irresponsible and posting about it publicly on a community instead.
If you find a way to disclose vulnerabilities without being ghosted by Lemmy developers: update me.
How have you been "ghosted by Lemmy developers" especially if you "do not use GitHub"
lemmy.world is probably overloaded.
On my instance, everything from them floods through all at once, filling my first couple of pages with hours or even days worth of stuff, then I'll get nothing from them for a while again.
I mean, maybe it's because I'm not overly paranoid or live in the US, but this doesn't seem like a big deal at all.
As for the "drama" of them telling someone they can unfollow, it's true. It's again, not a big deal.
This screams people trying to make a mountain out of a molehill.
Do we know the domains they are going to use for federation yet?
What's wrong with Ubuntu?
My favorite part is when it finally becomes somewhat less overloaded, and my instance gets flooded with a bunch of posts from there filling the entirety of my front page, and the second page...
Thank you I'll look into it.
That's great news! Hopefully it releases soonish.
view more: next ›
It absolutely does, it also means following up, not "They didn't reply in a week so instead of trying other ways to contact them, I'm just going to post about it". They didn't even try to open an issue because they "don't use github" all while coming here talking about how bad the vulnerability is.
It's poor (lack of) judgement on OP's part.