• @scrion
      link
      105 months ago

      That’s why there is a huge market for 0-day exploits.

      • @vxx
        link
        35 months ago

        Isn’t there attempts to sneak in vulnerabilities with new commits?

        • @scrion
          link
          6
          edit-2
          5 months ago

          Yes, targeted attacks like that definitely exist, most famously maybe the most recent social pressure to merge a vulnerability to the xz library by actor “Jia Tan”:

          https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

          This started a whole discussion about relying on (often unpaid) volunteer work for critical systems and the pressure and negativity these people face, which is a discussion that was absolutely needed, and which we are still lightyears away from fixing.

          Currently, open source is still treated like this: https://trac.ffmpeg.org/ticket/10341

          (I can only recommend reading the whole story around this issue, which boils down to Microsoft admitting they rely on an open source project for something they consider critical to their customers, but not willing to pay the maintainer a bounty for fixing the issue)

    • @[email protected]
      link
      fedilink
      65 months ago

      The NSA is doubtless sitting on a trove of these types of vulnerabilities to use when they really need access to something.