Comment by notepad0x90

> Do you expect it to take you a whole, dedicated month to fix 1 bug at a time?

Like I said, the bugfix is not what takes long. They have to figure out the extent of the vulnerability, do regression testing, make sure they don't introduce more issues. And _then_ they can begin sending embargo notifications, let their customers prep, patch,etc... while in parallel they do analysis of in-the-wild exploitation. They have to support all the paying customers that are panicking and want answers. You're not the only one scrutinizing every word they say and demanding answers. They talked to lawyers plenty during that time. If you know legal admission of guilt is one of the things included, then you should know they're publicly traded and SOX plus section 8 filings are a huge deal. Their CISO could literally end up in prison if he screws this up. So yeah, it takes a couple of days. They have to have outside parties (likely) support their response, even without that, "who did what", "what was affected", "how was it abused", "how can it be prevented" , all of that needs to be answered, and then there is lots of back on forth on the specifics of the wording to the public/PR, what to tell investors, customers, etc...

> This is a bit of a no true Scotsman.

There are different detection strategies possible. Your approach could be done, when an error message that hasn't been seen previously suddently shows up, it could be flagged for follow-up investigations, contact mongo support,etc.. that's not what I meant though, you mentioned exfil, abnormal data transfers from 'mongod' could be caught is what I meant. Most moderns SIEMS do this out of the box if you feed them right and well.