Mozilla denies HawkAuth bypass in the open source repo they maintain, refusal to issue a CVE for severity reasons (that's an oxymoron), while deprecating it from their backend account and payment services (FXA), fixing private reported vulnerabilities, and acknowledged the issue as a Hall of Fame bug bounty submission.
But yet deny a CVE and refused a patch PR submission denying the issue..
Much of this appears to be written by a contracted vulnerability assessor.
I have performed both vulnerability assessments and penetration tests. For customers that have a specific adversary they have identified and asked us to emulate, for businesses that require a periodic attestation for compliance to standard like PCI, sometimes it is just an enthusiastic manager that wants a hacker to test them thinking they have made all the security tool deals that will protect them, and for customers that just want the findings as a report to help define future product enhancements.
I've used some very important and distinctive terms that your post failed to address;
1) Findings
2) Vulnerability Assessment
3) Penetration test
4) attestation of compliance (AoC)
A vuln scan is not a pentest, the difference is very simple. A pentest not only finds things that can be exploited, for it to be a pentest it actually needs to craft the exploit to validate them. The vuln scan is just reporting unvalidated findings, if you didnt craft an exploit you are not reporting a vulnerability yet. And always remember the rule, one in none. One instance of a finding through one test is not enough, one validation for a solid finding is not yet validation until you've crafted at least 2 tests.
And a report is not an AoC, an attestation of compliance must have been provided with evidence for all findings, not just screenshot but real evidence that the customer can replay to corroborate your finding. Furthermore, an AoC is ueless if you simply provided a CVSS, it must be risk-based and relevant to the customer. A CVSS rating that is INFO is often a HIGH RISK because the vendor CVSS didn't have the customer context to rate it but often these INFO rating offer the vectors to gain private keys and such that can be used in a multi-staged attack but CVSS is only concerned with the current context, stage-1 of the attack, it cares not if stage-2 is a disclosure of a private key and stage-n is exfil.
I really wish the so-called hackers and these so-called ethical hackers from offensive security certifications (that unfortunately make up the majority) actually spoke to their customers and learned what customers really need. Instead of being in a solo, using severely limited tools like kali, in their hoodies, and ignoring the reality of what it means to be a professional..
Take in the advice above, at least try to act like a useful part of this industry, I can't tell you how many times customers ask to get a real report after getting so many terrible failed reports wasting their money and time. Maybe more than just once this year i'd like a customer to tell me they've never had a bad experience with a so-called pentester..
"Doesn't support" does not mean "doesn't work". It just means that if you have a problem with slack on Firefox that doesn't happen in Chrome, they will not go out of their way to fix it and, probably, that they don't test slack on Firefox (or not as much as they test it on Chrome).
It’s never not worked for me if you’re referring to https://hangouts.google.com I use it daily as my primary IM and am primarily a Firefox user across all platforms. Never had an issue with Hangouts even after the Quantum update
Your 2 examples. C and JacaScript are dying if not dead already.
We have consensus on Web Assembly now and that’s allowed a lot of languages into the browser with a better developer experience and performance then JavaScript ever offered.
And Rust. What’s not to say about Rust.
One thing that kept C alive so long is there wasn’t anything viable to build operating systems with until Rust.
There’s a lot more to Rust too, it’s compiler LLVM is used to compile so many other languages like Apples ObjC and there’s wrappers for others like Apple’s Swift. I mention these due to the heavy usage and development upstream into LLVM for these. You can even use Rust to create better performance code for other languages like Python modules.
You’re (OP) definitely accurate in your post saying C and JavaScript are comparatively static but even they’ve gone through feature development and drastic syntax and paradigm changes (in the case of JavaScript)
