Suboptimal ways to respond to a public security incident
This issue is already quite widely publicized and quite frankly "we're handling it and removing this" is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.
It's not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if you're hosting an instance. 🙏
You are viewing a single comment
It is common practice to notify affected parties privately and then give full details to the public after the threat is largely neutralized. Expecting public disclosure with technical details on how to perform the attack in less than 24 hours goes against established industry norms.
That only stands true when the issue is not being actively exploited.