diff options
Diffstat (limited to 'content/entry/oxen-security-fail.md')
| -rw-r--r-- | content/entry/oxen-security-fail.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/content/entry/oxen-security-fail.md b/content/entry/oxen-security-fail.md index 0ab06d0..c2f7f27 100644 --- a/content/entry/oxen-security-fail.md +++ b/content/entry/oxen-security-fail.md @@ -9,7 +9,7 @@ The download links for each project are all vulnerable to network-level man-in-t When I noticed the lack of security headers on getsession.org, I emailed support@getsession.org informing them of the issue the same day. Over a week later, it's still not fixed and I have no response. How long has their website been insecure like this? I'm left wondering whether I should take OPTF and their work seriously. How can crypto projects focused primarily on privacy and security overlook basic web security? OPTF has some explaining to do. -Their sites may have other security vulnerabilities I'm unaware of. I'm no web pentester and I have no interest in pursuing it further. I may ask a pentester friend of mine to look into it for me. I'm going to contact OPTF directly through their contact form[6] about what all I've already found. I'll update this entry later once they respond. +Their sites may have other security vulnerabilities I'm unaware of. I'm no web pentester and I have no interest in pursuing it further. I may ask a pen tester friend of mine to look into it for me. I'm going to contact OPTF directly through their contact form[6] about what all I've already found. I'll update this entry later once they respond. # Update (2021-10-02): I received a response the same day I contacted the OPTF. They let me know my original email to Session went to spam which is why they didn't see it. It probably got filtered because I put "URGENT" in the subject line. The issue was resolved by the next day and the CTO (Kee Jefferys) thanked me for the feedback. |