Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://bae.st/objects/4eb1121f-2d4d-4a67-87c6-ea81614f9176">PC-9801 Enjoyer (pawlicker@bae.st)'s status on Friday, 04-Aug-2023 23:46:50 JST</a><a href="https://bae.st/users/Pawlicker" title="pawlicker@bae.st"><img src="https://gnusocial.jp/avatar/6446-48-20220819201952.webp" width="48" height="48" alt="PC-9801 Enjoyer" style="position: absolute; left: 0; top: 0;">PC-9801 Enjoyer</a><div><a href="https://gleasonator.com/objects/9015d60c-7bf0-4818-be5c-a2c846af3b5f" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/2386" title="lain@pleroma.soykaf.com">Oneesan succubus</a></li></ul></div></section><article><a href="https://gleasonator.com/users/alex">@alex</a> <a href="https://pleroma.soykaf.com/users/lain">@lain</a> &gt;Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.<br><br>Also there's nobody auditing it. As jank as Mastodon is, they have processes for dealing with this too and a bug bounty. <br><a href="https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/">https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/</a><br><a href="https://docs.joinmastodon.org/dev/disclosure/">https://docs.joinmastodon.org/dev/disclosure/</a></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1903856#notice-3735259">In conversation</a><time datetime="2023-08-04T23:46:50+09:00" title="Friday, 04-Aug-2023 23:46:50 JST">Friday, 04-Aug-2023 23:46:50 JST</time> <span>from <span><a href="https://bae.st/objects/4eb1121f-2d4d-4a67-87c6-ea81614f9176" rel="external" title="Sent from bae.st via ActivityPub">bae.st</a></span></span><a href="https://bae.st/objects/4eb1121f-2d4d-4a67-87c6-ea81614f9176">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: cdn.arstechnica.net</div><h5><a href="https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/">Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking</a></h5><div></div></header><div>Most critical of the bugs allowed attackers to root federated instances.</div><footer></footer></article></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://docs.joinmastodon.org/dev/disclosure/">Bug bounties and responsible disclosure</a></h5><div></div></header><div>What to do if you found a serious bug</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
PC-9801 Enjoyer (pawlicker@bae.st)'s status on Friday, 04-Aug-2023 23:46:50 JSTPC-9801 Enjoyer
in reply to
- Alex Gleason
- Oneesan succubus
@alex @lain >Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.

Also there's nobody auditing it. As jank as Mastodon is, they have processes for dealing with this too and a bug bounty.
https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/
https://docs.joinmastodon.org/dev/disclosure/
In conversationFriday, 04-Aug-2023 23:46:50 JST from bae.stpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: cdn.arstechnica.net
  Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking
  Most critical of the bugs allowed attackers to root federated instances.
2. No result found on File_thumbnail lookup.
  Bug bounties and responsible disclosure
  What to do if you found a serious bug

Public

Embed Notice

HTML Code

Corresponding Notice