Mike Fiedler, Code GardenerMay 26
I wonder who I know that knows someone at HackerOne that can convey the message that PyPI explicitly disallows security research packages, and bans users who upload them. Put that in a notice to your users somewhere prominent - since it's become pervasive and a drain on resources.
This also takes time away from legitimate security incident response - so it's a net negative for the world.
Show threadJacob PrattMay 26
@miketheman What does this have to do with H1? I can pass the message along to some employees if I understand the relevance.
Show threadMike Fiedler, Code GardenerMay 26
@jhpratt many researchers will see a program on H1 and attempt at dependency confusion for that company's packages by uploading malicious appearing versions to PyPI
Show threadaburka 🫣May 26
@miketheman @jhpratt that just sounds like a straight up supply chain attack, not "research"
Show threadMike Fiedler, Code Gardener
@aburka @jhpratt well, that's the problem, isn't it. The code often isn't an attack beyond a phone home telemetry, and I simply don't have the bandwidth to argue with each new researcher who claims to have found an ultra critical supply chain vulnerability.
May 26 at 7:19pmWeb