new | ask | show | jobs
agosta 4 days ago  [ - ]

Mintlify had a blacklist in place to not allow them to do this with most file types. Someone failed to add SVG to it. It's not like they weren't thinking about security. The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org. But even a competent person can make a crucial mistake.

sofixa 4 days ago  [ - ]

> It's not like they weren't thinking about security

https://kibty.town/blog/mintlify/

The first CVE here definitely sounds like they absolutely weren't thinking care security.

pmontra 4 days ago  [ - ]

A whitelist is safer than a blacklist. Unfortunately you risk losing those customers that won't be able to load their media, won't contact support, will use a different service.

anonymous908213 4 days ago  [ - ]

  The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org.
This statement could not be further from the truth. Your organization itself is completely incompetent if one ignorant employee can compromise it. The "swiss cheese" safety memetic is widely understood and basically common sense; in an actually competent organization, no single person has sole responsibility for success or failure of a process, and it takes individual failures at multiple levels to result in process failure.
esseph 4 days ago  [ - ]

I agree with you in theory.

In practice, I've never known a single organization to hit that bar. Ever.