We welcome all the paranoia we can get. Please be informed that multiple organizations have done security audits for GitLab and we have paid external parties to perform them for us. That doesn't mean there are no bugs anymore.
Not to speak badly about any of my peers in particular, but I've come in after other security auditing teams and found really obvious bugs that they've overlooked.
Though I usually give them the benefit of the doubt and omit my feelings when I write my report. Maybe it was a time constraint or a scoping issue that prevented them from seeing it? I have no way of knowing.
So, kudos for not having a single point of failure.
> Not to speak badly about any of my peers in particular, but I've come in after other security auditing teams and found really obvious bugs that they've overlooked.
And you've never missed one, right?
Aside from this, your behavior in this thread is a very loud warning about working with you, particularly telling someone to learn to read below by linking to an app. Handle being questioned a bit better, if you can, and understand that seeing this immediately talks me out of using your services. (Even if you're an oracle who never makes a mistake, as you imply. I'll take my chances with someone a bit more professional.)
Have I overlooked really obvious bugs? None so far that I've been informed of.
I'm not careless when I get paid to audit a project. Of course, I know I'm not perfect either.
One time, I was writing a PoC implementation of AES-CBC and forgot to authenticate the IV (which was included in the message). Luckily, someone called me out on it very early on. (As a result, I'm also more likely to catch this kind of mistake in someone else's work.)
Making mistakes is part of the learning process. Making mistakes when assessing someone else's security is a very real danger. That's why I give GitLab kudos for using multiple organizations.
The moral to the story I was telling, albeit poorly, is that "I think you're doing the right thing by having multiple teams look at your project". But that was my fault for not expressing this clearly enough.
> Aside from this, your behavior in this thread is a very loud warning about working with you, particularly telling someone to learn to read below by linking to an app.
Nobody who contacts my employer deals with me directly. The person who handles clients has people skills. I do the technical heavy lifting.
So, please rest assured, that any "very loud warning" you're reading won't translate into the quality of services we provide, even if I am an asshole on my personal accounts.
> Handle being questioned a bit better, if you can, and understand that seeing this immediately talks me out of using your services. (Even if you're an oracle who never makes a mistake, as you imply. I'll take my chances with someone a bit more professional.)
I don't mind being questioned. I mind people demonstrating a blindness to the qualifiers I explicitly include in my statements.
> So, please rest assured, that any "very loud warning" you're reading won't translate into the quality of services we provide, even if I am an asshole on my personal accounts.
And yet here I am, mentally blacklisting your company. Weird, right? Almost like team matters, and you carry a 'C' in your title, allegedly, so...
It was just informal advice to rein yourself in. Take it or leave it.
> It was just informal advice to rein yourself in. Take it or leave it.
Okay, I'll take it. It's just really frustrating that this keeps happening even though I take care to choose my words very precisely. Especially qualifiers.
I don't know how to be more explicit than totally explicit. That doesn't even seem possible. Maybe I'm the idiot here.
