Amir Omidi > If you’re offering to open source the RCE code you were using with this. I’m sure that would be helpful.
We're involved to reveal the RCE working code analysis on my blog, before 17, June. And reveal a new reveal unsafe variable injection/pollution problem on ACME.sh v3.0.6 on it. Opensource repo to RCE one ACME.sh v3.0.5 would take some time, because desensitization for variables&datas, and independence from our main repository(HiCA it's a sub-application in it). > It is never acceptable to build a business on top of an RCE. The right move would’ve been to disclose this bug. I didn't realize that this would cause serious security problems in the past(but now i do), I'm not a professional security researcher(I don't understand the RCE standard. The security vulnerabilities I have learned in the past are CSRF, SSRF and the like); so I used it for the domain of `/.well-known/pki-validation` validation out of the idea of building a cool tool(HiCA), a easier to disseminate free certificates to the community. I now understand it was a mistake, My apologies. 在2023年6月15日星期四 UTC+8 09:16:23<Amir Omidi> 写道: > Emailing on a personal capacity. > > If you’re offering to open source the RCE code you were using with this. > I’m sure that would be helpful. > > It is never acceptable to build a business on top of an RCE. The right > move would’ve been to disclose this bug. > > > On Wed, Jun 14, 2023 at 20:39 Watson Ladd <watso...@gmail.com> wrote: > >> On Wed, Jun 14, 2023 at 10:46 AM Xiaohui Lam <inao...@gmail.com> wrote: >> > >> > @Watson Ladd, >> > >> > Again, >> > >> > We agree ssl.com to cancel free certificates. >> > It means there aren't only free certificates we're providing. But >> also paid certificates, if only annually(1 year) cert been cancelled it be >> fine we can take it, but there are many multiple year subscription >> purchased by our users(including some OV certs). >> > If you bought something with a period of many years, but delivered it >> on an annual basis, and the merchant ran away after one year, would you >> defend your consumer rights? >> >> If the merchant broke into my home to deliver it, I'd be calling the >> police. >> >> Sincerely, >> Watson Ladd >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "dev-secur...@mozilla.org" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/heXVr8o83Ys/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> dev-security-po...@mozilla.org. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0c%3DjQwd035WhDnWJe-BfrKY8Xfxq0_cKUFHDj2W4oWe6-Q%40mail.gmail.com >> . >> > -- > Amir Omidi (he/them) > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/af772e5e-5b2d-45d5-abb1-a2e2b883a15dn%40mozilla.org.
