Closed jrconlin closed 5 years ago
I agree on the sentiment for this one, just to explain the reason for it behaving like it does: a lot of companies really needed the memory snippet to believe they were indeed vulnerable.
Implementation nitpick: I think the kill switch should turn off data reporting entirely, not only caching. Otherwise you would get different results on cached/uncached. (So set data = ""
immediately after the Bleed
call)
Yep, in our code we bit-bucket data as soon as we can, but then we're also not building a stand alone server like you are.
Perfectly fine if you want to reject the PR. Just figured I'd hand back a mod.
Dead on the vine. Cleaning up.,
Data returned from a vuln may contain unknown or personal information. While this may be useful to individuals trying to fix libraries, it's not really appropriate to return that info to unknown parties. Adding a flag to disable this by default.