- Which mods/admins were being Power Tripping Bastards?
Snoopy
- What sanction did they impose (e.g. community ban, instance ban, removed comment)?
Community ban
- Provide a screenshot of the relevant modlog entry (don’t de-obfuscate mod names).
- Provide a screenshot and explanation of the cause of the sanction (e.g. the post/ comment that was removed, or got you banned).
I woke up to suddenly being banned with a dm that was misgendering me. It appears the real reason I was banned was due to fact I was critical of Piefed’s recent actions.
Snoopy has no evidence that “I personally released the exploits into the wild" It was actually @yogthos@lemmy.ml who did the deed. I’m not technically enough to be pull it off, nor do I want to.
- Explain why you think it’s unfair and how you would like the situation to be remedied.
Hopefully unbanned and unblocked.
This, assumes the vendor acts in good faith, which, as we have seen in the past few days, it hasn’t been the case. Public disclosure was the appropriate course here, so it allows forks like Pievolution & PyLova the awareness to also take action on their derivative vulnerabilities.
I believe @yogthos@lemmy.ml purposely did not, to exemplify amateurs now have access to tools they should not, and WILL forgo proper standardized communication channels to disclose issues like these in the future. Unless you believe Mitre & CVE reporting will be taught in grade schools, this threat model is pretty realistic of what we should now come to expect. Not everyone is privileged enough to afford security courses, and standardized education.
Responsible disclosure does not assume the vendor acts in good faith. Usually the disclosure period is around 90 days before the vulnerability is released, fixed or not (although this is negotiable with a good faith vendor).
Forks etc. could have been informed privately first too if possible.
This is not a good argument. Undisclosed zero days in the wild have always been part of the threat model. Amateurs with LLMs or not, a large percentage of vulnerabilities are not disclosed responsibly and are only fixed after damage has been done. Putting people and their personal information at risk because you want to make a point about the dangers of zero days (which everyone is already aware of) is woefully unethical.
That doesn’t mean we should abandon these things. The vendor can report the CVE too. Or anyone else with an interest in it. It doesn’t have to be the untrained amateur grey hat asking Claude for vulns. A malicious threat actor exploiting a system doesn’t report it either. The community benefits from skilled people handling things properly. Pretending that it doesn’t because most people don’t have those skills is silly.
You’ve never been sued then.
Hopefully I don’t need to demonstrate how this also isn’t an argument that doesn’t hold itself.
And unskilled people now have access to skilled tools that doesn’t handle things properly…. It’s not an argument people’s personal information is already at risk. It’s an argument that the tools people now have access do not properly handle things. Maybe teach the people that developed claude mythos how to Mitre & CVE responsibly ╮(︶▽︶)╭
As far as I know, piefed doesn’t even have a cve process for submitting vulnerabilities. And I’d like to note that the two vulnerabilities I disclosed only affect the server admin in a sense that they allow the attacker to post content to the server and snoop around on available endpoints, but they don’t expose any user information.
They don’t need to have one.
You can report it here: https://cveform.mitre.org/
Use the CNA-LR since I don’t think they have a CNA.
You were probably trying to do the right thing disclosing, just know that there is a better process for it (even if you think the devs are asshats, it’s good to do it like that for the community who aren’t).
Even if it only affects admins, that includes admins of forks etc.
I’m sure there’s probably more vulnerabilities to find.
Ah, I didn’t actually know about using mitre. So, that is good to know for the future.