Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most security bugs get fixed without any public notice. Unless there was any breach of customer information (and that can be often verified), there are typically no legal requirements. And there's no real benefit to doing it either. Why would you expect it to happen?


> there are typically no legal requirements

Not after EU CRA https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act goes into effect


> Unless there was any breach of customer information (and that can be often verified), there are typically no legal requirements.

If the company is regulated by the SEC I believe you will find that any “material” breach is reportable after the determination of materiality is reached, since at least 2023.


Sure. And these types of "we fixed it and confirmed nobody actually exploited it" issues are not always treated as material. You can confirm that for example by checking SEC reports for each cve in commercial VPN gateways... or lack of.


The benefit, apparently, is that people like this guy don't cancel their memberships.


And how many would cancel is they published every security issue they fixed?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: