From 98a05d2d78251fad8f9e073705b0c234f65854a5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 7 Jan 2025 12:04:35 +0100 Subject: [PATCH 1/3] security/will-appear.md: mention learning --- security/will-appear.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/will-appear.md b/security/will-appear.md index dafbb24..50e01c0 100644 --- a/security/will-appear.md +++ b/security/will-appear.md @@ -24,3 +24,15 @@ sure that parts of your audience will react badly. They will think that because you published a security vulnerability, your project has a bigger problem of insecurity. As if not all actively developed projects get these problems, either open or proprietary. + +## Learn + +Every security incident is a chance to learn. Mistakes are for learning. Why +did this error slip through and cause this problem? What code pattern can we +detect or prohibit to prevent this or similar mistakes to happen again? + +This is hard. In my experience, most security problems feel like one-offs and +rare circmstances that happened because of strange changes and your own +stupidity. Seeing patterns and adjusting ways of working to prevent future +flaws is difficult work but should always be attempted, to make the most out +of every CVE. From 2227a2115084db31b74dd10f10ff0cc142f8bc15 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 7 Jan 2025 12:06:04 +0100 Subject: [PATCH 2/3] Update security/will-appear.md spelling Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- security/will-appear.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/will-appear.md b/security/will-appear.md index 50e01c0..bffa9f9 100644 --- a/security/will-appear.md +++ b/security/will-appear.md @@ -32,7 +32,7 @@ did this error slip through and cause this problem? What code pattern can we detect or prohibit to prevent this or similar mistakes to happen again? This is hard. In my experience, most security problems feel like one-offs and -rare circmstances that happened because of strange changes and your own +rare circumstances that happened because of strange changes and your own stupidity. Seeing patterns and adjusting ways of working to prevent future flaws is difficult work but should always be attempted, to make the most out of every CVE. From ca81996bbb4f8530eaa054ec83d0e318dfdde473 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 7 Jan 2025 12:07:27 +0100 Subject: [PATCH 3/3] fixup allow CVE --- wordlist.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/wordlist.txt b/wordlist.txt index b698ba8..82efe86 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -14,6 +14,7 @@ CLAs configs Corola cURL +CVE CVEs distro distro's