{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreieaaocjp4unj5dt367gjgibkuddgj7t26zwik2z3rvk263tur5pla",
"uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mou4vhaonqy2"
},
"path": "/t/curl-summer-of-bliss-curl-will-not-process-security-vulnerabilities-in-july/38553?page=2#post_27",
"publishedAt": "2026-06-22T03:26:56.000Z",
"site": "https://discuss.privacyguides.net",
"tags": [
"okta.com",
"Security Through Obscurity (STO): History, Criticism & Risks | Okta",
"@overdrawn98901"
],
"textContent": "So explain your position instead of throwing bot emojis and acting as if I had insulted you?\n\n* * *\n\nEditing to explain my position further.\n\nWhat you are proposing is indeed security through obscurity.\n\n> The concept of security through obscurityopens in a new tab (STO) relies on the idea that a system can remain secure if the vulnerabilities are secret or hidden.\n\nokta.com\n\n### Security Through Obscurity (STO): History, Criticism & Risks | Okta\n\nSecurity through obscurity relies on secrecy to enhance cyber defense. Learn why many security admins find security by obscurity to be ineffective with Okta.\n\nYou’re attempting to hide that there’s a vulnerability. But curl announced they have stopped processing the vulnerability reports. If that’s a public GitHub ticket, then there is no hiding it.\n\nAlso, obscurity is at most, something that complements the best practice, which is transparency. I’m not opposed to marking a fixed vulnerability in commit history with “fix comma” or whatever. That gives time for the patch to be applied across userbase. You’ve already fixed the vulnerability and kept the code open source and so adhered to best practices.\n\nWhen it’s time to sunset a project the best practice is to announce you’re no longer supporting it or patching vulnerabilities. You don’t hide that to maximize the time users can get use out of it. Why would temporary break in support be treated differently? Who knows if something happens and you can’t return for another month, or year.\n\nYour claim that the curl devs are announcing they’re not home for a month is not analogous as it’s not their house whose at risk. It’s everyone else. So the very least you need to address that in your analogy.\n\nAlso finally, as @overdrawn98901 already said, paying customers are getting support. There is no issue here.",
"title": "Curl summer of bliss (curl will not process security vulnerabilities in July)"
}