A modern programming language that makes developers happier.

kotlinlang

Just published my writeup about CVE-2020-29582. A vulnerability in the Kotlin Standardlib from last year. Unfortunately, JetBrains does, what is in my opinion, a terrible job of disclosing their own vulnerability details. I've brought this up before, but they haven't done anything to improve the situation.

Anyways, here's the disclosure:

<https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-5w9v-8x7x-rfqm>

Here's the question that kicked off my publishing this finally:
<https://kotlinlang.slack.com/archives/C0B8M7BUY/p1643897982577199>

I've changed up my disclosure process on my end to help get more information out to the end-users moving forward. I write my disclosures written to an audience that will be public-facing first. Then I send that disclosure privately to the vendor. If they fix or don't fix the vulnerability, I disclose at the end of 90 days.

That way I'm not writing a disclosure twice, once for the vendor, and once for the public