Quote:
Originally Posted by 2MuchMark
The issue wasn’t “user input.” The risk was remote input (your server’s version.txt) being placed into innerHTML. I hope you fixed them.
“Independent audits said nothing malicious” doesn’t contradict “there was a security flaw.” Both can be true at the same time. I never said you did steal anything, I said your design created an avoidable risk.
On Legacy: he is not my employee. He said he was on his LinkedIn account and I asked. him to remove it which he did. This is something you know already, but anyway. That's on him.
Bottom line: you posted public software for people to install. It got reviewed publicly. Issues were raised. You said you improved it after I pointed it out. Good on you.
|
So TheLegacy lied on his LinkedIn for 4 years about working for you?
He listed himself as "Chief Program Director at 2Much.net" since February 2021. That's not a typo - that's a job title, company name, and start date. You're telling me he fabricated employment at YOUR company for four years and you just noticed?
Either TheLegacy is a fraud who lies about his employment, or you're lying now. Pick one.
On the "security review":
You didn't do a responsible disclosure. You posted "MAJOR RED FLAGS" and "sneakier than a backdoor" publicly to scare people away from installing it. That's not helping - that's a hit piece.
Real security researchers contact developers privately first. You wanted the FUD public.
You still haven't answered:
Why did you keep asking questions 11 times after I told you to leave?
Why did CyberHustler and Umami post malware accusations before your "technical review"?
Why did your review come after Killswitch and fris already verified the code was clean?
You keep talking about the extension like that's what this is about. It's not. It's about the pattern: TheLegacy joins a longtime sociopath and stalks me for weeks, you back him up, sock puppets attack on cue, and you play "just asking questions."
We all see it.