I like this quote from Daniel Miessler re. log4shell:
"What's so remarkable about this vulnerability (...) is the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. (...) We should be thinking about is how many other projects are out there that have similar characteristics:
1.The project is maintained by very few people in their spare time
2.If the project had a major issue it would disrupt the entire internet
"We simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they're creating from a security standpoint.
(...) It's our fault because we know how bad the situation is and we just YOLO through life as if we didn't. The result is that we get to learn about internet-stopping vulnerabilities from the Minecraft community."
A Mastodon instance for info/cyber security-minded people.