The “responsibility” part of responsible disclosure goes both ways

It absolutely does, it also means following up, not “They didn’t reply in a week so instead of trying other ways to contact them, I’m just going to post about it”. They didn’t even try to open an issue because they “don’t use github” all while coming here talking about how bad the vulnerability is.

It’s poor (lack of) judgement on OP’s part.

Typical reasonable disclosure is in terms months usually, not “nearly a week”. OP is being irresponsible at best by posting this before giving time to the developers to see, and act on it.

Thank you, I was going to write one up tonight for it. You emailed security @ correct? https://github.com/LemmyNet/lemmy/security/policy

OP doesn’t seem interested in that. They state they “sent a vulnerability a week ago” and didn’t hear back so they are being completely irresponsible and posting about it publicly on a community instead.

If you find a way to disclose vulnerabilities without being ghosted by Lemmy developers: update me.

How have you been “ghosted by Lemmy developers” especially if you “do not use GitHub”

It’s not even a question (outside of clickbait bs by news agencies)

lemmy.world is probably overloaded.

On my instance, everything from them floods through all at once, filling my first couple of pages with hours or even days worth of stuff, then I’ll get nothing from them for a while again.

I mean, maybe it’s because I’m not overly paranoid or live in the US, but this doesn’t seem like a big deal at all.

As for the “drama” of them telling someone they can unfollow, it’s true. It’s again, not a big deal.

This screams people trying to make a mountain out of a molehill.

I ended up just hosting my own Searxng instance. Seems a lot easier to control and not be dependent on how someone else has theirs set up.

Do we know the domains they are going to use for federation yet?