• sugar_in_your_tea
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    1 year ago

    The same is true for other stuff too. For example, I’m more likely to use a password manager if they handled a breach responsibly than an unproven service. I’m looking for essentially three things from a breach:

    • when did they detect it, and what was their immediate response?
    • how transparent were they in communicating the breach, and did they need to make amendments later? (more tolerance if they’re quick with reporting the breach)
    • what changes did they make to ensure it doesn’t happen again? Were those changes merely to patch this vulnerability, or did they notice other vulnerabilities?

    Breaches happen, so I’m mostly interested in how their existing security ops mitigated the fallout (e.g. did they properly salt passwords, have transaction limits on the DB, etc), and how thorough the investigation was. A good org will be much stronger after a breach than most competitors, so if everything checks out, they’re probably a safer bet going forward.

    • conciselyverbose@kbin.social
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Given the scope of this project (a non-commercial free mod), I would honestly not judge them harshly for a much poorer response. It’s not their job; if they took a couple days to notice during the holiday season, then weren’t able to say much more than “we think you’re fucked if you have this mod installed”, a lot of harm might be done, and they’d definitely see a lot of criticism, but I’d understand. For a small team that don’t do security, especially one who aren’t even selling their product, getting hacked has the potential to be extremely overwhelming, and you very possibly don’t have the expertise or resources to investigate properly.

      Instead, they put a bunch of real companies to shame. (Some of those companies have breaches that are a lot more complex in scope, but still.)

      • sugar_in_your_tea
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yup, I 100% agree. I absolutely take the size of the org, the risk to me (e.g. medical info is more impacted than game playtime), and how much I paid into account when evaluating a response.

        This was a way better response than I could ever hope for from such a project.