the reported version of a server software is not necessarily indicative of it being vulnerable to an exploit or not, the software may have had a fix backported or had been deployed in a configuration where the vulnerability wasn’t relevant.

Ariadne Conill 🐰:therian:

reporting something based on just a version string and writing a clickbait article about how the person ignored you is just shitty behavior

Ryan Finnie

@ariadne See also: bargain basement PCI compliance scanning companies. I have a side client where we have as much configured (Apache etc) to strip version numbers from the public responses. Not for security through obscurity, but to hide them from the vendor which doesn't know what those weird "-4ubuntu13" strings are at the end of our MASSIVELY INSECURE SOFTWARE FAIL FAIL FAIL

Edit: just saw what this was was subtooting, and yeah, pretty much what I expected, ugh

Nicolás Alvarez

@ariadne KDE regularly receives reports like "Severity: High, directory listing is enabled on https://amarok.kde.org/images/", usually begging for bounties. I guess they think automated security scanners are get rich quick schemes they can use.

Forum Federato

the reported version of a server software is not necessarily indicative of it being vulnerable to an exploit or not, the software may have had a fix backported or had been deployed in a configuration where the vulnerability wasn’t relevant.