Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The API, API docs and the pointer to them are all fully public.

The user who deliberately hacks their way into using a test plugin and sees bad results is going to see bad results but that's not a security problem.



> The API, API docs and the pointer to them are all fully public.

Yeah, the basic model (because it involves publicly publishing untested instructions, which amount to code) is a security problem for the plugin supplier.

OpenAI not doing server-side validation of the closed-test-groups that it advertises for unreleased plugins magnifies the risk, but eliminating it wouldn't eliminate the fundamental problem entirely.

(The OpenAI failure here isn't failing the end user, its failing what they represent to the plugin supplier.)


You can and should implement auth on those endpoints if you have any concern about them being accessed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: