Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For sure. I've worked at orgs where we disabled package vulnerability scanners because they created a constant stream of upgrading busywork. So many "vulnerabilities" are things like "JavaScript prototype pollution in this package that does something in your build toolchain". So much noise and so very little signal, the incentives of these scanning and vuln tracking companies just aren't aligned well I don't think.

Nowadays I tend to more rely on tech news to hear when there's an actual serious vuln I need to address.

(Note I'm not advocating everyone do this. Do your own risk assessment).



Note that tech news is biased towards flashy or relatable security issues. Nobody is going to n-day your phone (though you should, of course, keep it up to date). It's your Drupal you should worry about.


With that said, there is a long and proven track record of attacks on phones.

But those tend to be against journalists and activists.

What threat model you operate under is a nontrivial problem.


Right, those posts are kind of like newspaper articles about shark attacks




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: