Security convo matrix is roughly
1. publicly discuss risk, private clarification
2. publicly discuss risk, public clarification
3. privately discuss risk, private clarification
4. privately discuss risk, public clarification
The problem with 1.) is that even if those risks can be fully dispelled as nothings, if that clarification is done in private, everyone else is still freaked out and might think they're in danger.
Therefore since the RHR criticism was so public, so should be the clarification, thus 2.).
3.) and 4.) aren't relevant here, but for completion:
3.) is fine if there was never any real risk (e.g. someone asking, "Hey, can X happen?" "No, it can't because blah." "Ah, okay, cool"). No harm, no foul. But not great if there is a real risk and it's quietly fixed and never publicly disclosed.
4.) is pretty common: "We get this question a lot so let's discuss this concern...". Or it's a real risk that's fixed and then publicly disclosed.
KeithMukai / Keith Mukai
npub1tv…77wn2
2024-09-25 22:12:42
in reply to nevent1q…rk0f
Author Public Key
npub1tv8gmfhalwnxxquxjzeh6gtdsdz6vg7vx0s3rt7s7uuw6aujh32qn77wn2Published at
2024-09-25 22:12:42Event JSON
{
"id": "4b0e4110ab55dd3a1e65c054fc9796ebe50d9b5f00dbb19501fa616759ea3113",
"pubkey": "5b0e8da6fdfba663038690b37d216d8345a623cc33e111afd0f738ed7792bc54",
"created_at": 1727302362,
"kind": 1,
"tags": [
[
"e",
"958c364625e4840b4bb5ebef3ac599b8d377245e5892d7b9e7e74f5075331579",
"",
"root"
],
[
"e",
"15d563a06e1384e69a84f1e7bc33700e900f4e58d84f0ec5a305d29daa13475b",
"",
"reply"
],
[
"p",
"04c915daefee38317fa734444acee390a8269fe5810b2241e5e6dd343dfbecc9"
],
[
"p",
"f2c96c97f6419a538f84cf3fa72e2194605e1848096e6e5170cce5b76799d400"
],
[
"p",
"7f177706ad6e0aea75a9e3345d9ffdae67676faff249be657b596375e1ced391"
],
[
"p",
"5b0e8da6fdfba663038690b37d216d8345a623cc33e111afd0f738ed7792bc54"
],
[
"p",
"26e9ab7f2c8d2ac37903af90be2a1aef6f2acbd699f4f259caac7ad33d2000c1"
]
],
"content": "Security convo matrix is roughly\n\n1. publicly discuss risk, private clarification\n2. publicly discuss risk, public clarification\n3. privately discuss risk, private clarification\n4. privately discuss risk, public clarification\n\nThe problem with 1.) is that even if those risks can be fully dispelled as nothings, if that clarification is done in private, everyone else is still freaked out and might think they're in danger.\n\nTherefore since the RHR criticism was so public, so should be the clarification, thus 2.).\n\n3.) and 4.) aren't relevant here, but for completion:\n\n3.) is fine if there was never any real risk (e.g. someone asking, \"Hey, can X happen?\" \"No, it can't because blah.\" \"Ah, okay, cool\"). No harm, no foul. But not great if there is a real risk and it's quietly fixed and never publicly disclosed.\n\n4.) is pretty common: \"We get this question a lot so let's discuss this concern...\". Or it's a real risk that's fixed and then publicly disclosed.",
"sig": "869b73afccd423ff6f5adcc2ace5ce17faf507006d50ec9aa21261417533e0b3e28b4a541efb3393a3dee8c34d2f37e3902ccd803b4f08a44212a3a9b43b2e80"
}