The world of security research is no stranger to the phenomenon of not-a-vulnerability. That’s where a security researcher finds something interesting, reports it to the project, and it turns out that it’s something other than a real security vulnerability. There are times that this just means a researcher got over-zealous on reporting, and didn’t really understand what was found. There is at least one other case, the footgun.

A footgun is a feature in a language, library, or tool that too easily leads to catastrophic mistake — shooting ones self in the foot. The main difference between a footgun and a vulnerability is that a footgun is intentional, and a vulnerability is not. That line is sometimes blurred, so an undocumented footgun could also be a vulnerability, and one possible solution is to properly document the quirk. But sometimes the footgun should really just be eliminated. And that’s what the article linked above is about. [Alex Leahu] takes a look at a handful of examples, which are not only educational, but also a good exercise in thinking through how to improve them.

Continue reading “This Week In Security: Footguns, Bing Worms, And Gogs” →