← Back to context

Comment by Rygian

2 days ago

I don't understand what is being encouraged here.

Something is seriously wrong when we say "hey, respect!" to a company who develops an unauthenticated RCE feature that should glaringly shine [0] during any internal security analysis, on software that they are licensing in exchange for money [1], and then fumble and drop the ball on security reports when someone does their due diligence for them.

If this company wants to earn any respect, they need at least to publish their post-mortem about how their software development practices allowed such a serious issue to reach shipping.

This should come as a given, especially seeing that this company already works on software related to security (OpenAuth [2]).

[0] https://owasp.org/Top10/2025/ - https://owasp.org/Top10/2025/A06_2025-Insecure_Design/ - https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/ - https://owasp.org/Top10/2025/A05_2025-Injection/

[1] https://opencode.ai/enterprise

[2] https://anoma.ly/

6 comments

Rygian

Reply
Cornbilly  2 days ago

I’ve noticed this a lot with startup culture.

It’s like an unwritten rule to only praise each other because to give honest criticism invites people to do the same to you and too much criticism will halt the gravy train.

  • rtaylorgarlock  2 days ago

    I've struggled a bit on this: LinkedIn's positivity echo chamber vs. the negativity-rewarding dunk culture here. No greater power exists on HN than critical thinking using techno-logic in a negative direction, revenue and growth be damned.

    Opencode don't have to maintain Zen for so cheaply. I don't have to say anything positive nor encouraging, just like I don't have to sh!t on youtuber 'maintainers' to promise incredible open source efforts which do more to prove they should stick to videos rather than dev. Idk. Not exactly encouraging me to comment at effing all if any positivity or encouragement is responded with the usual "hm idk coach better check yoself" ya honestly I think i know exactly what to do

GoblinSlayer  2 days ago

Honestly RCE here is in the browser. Why the browser executes any code in sight and this code can do anything?

  • Rygian  2 days ago

    It's called "the world wide web" and it works on the principle that a webpage served by computer A can contain links that point to other pages served by computer B.

    Whether that principle should have been sustained in the special case of "B = localhost" is a valid question. I think the consensus from the past 40 years has been "yes", probably based on the amount of unknown failure possibilities if the default was reversed to "no".

    • GoblinSlayer  2 days ago

      owasp A01 addresses this: Violation of the principle of least privilege, commonly known as deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.

      Indeed, deny by default policy results in unknown failure possibilities, it's inherent to safety.

      1 reply →