You put a CDN in front of it and heavily cache when serving to external customers

No, it says it is restricted. You need to set a private attribute on the webview to enable it. And if you interact with private APIs your app will be rejected in review.

I understand, though conjecture (worked at apple for years) this looks like an imminent "feature" that will become documented.

It also barely meets the definition of "a vulnerability report". He basically just nmap scanned the server and googled the apache version. The "critical" vulnerability he linked requires controlling a backend server being reverse proxied through apache... so completely irrelevant. I didn't read every CVE for the apache version but I am doubtful there is anything that actually allows taking over the server there.

Also, Apache 2.4.57 is exactly the version of Apache you get when you'd run RHEL 9 / AlmaLinux / Rocky 9. In that case, the OS would provide backports of the CVE fixes for you and the banner still reads Apache 2.4.57!

That was EXACTLY my first thought on skimming the article. There are commercial vulnerability tools that do this to me repeatedly with Debian and Ubuntu - reporting vulnerabilities in things that the Ubuntu and Debian CVE pages clearly state were patched in backports years prior. Often it is in Apache.

I need to see ICE Block's SOC 2 Type 1 audit of their processes for patching vulnerabilities along with their latest SOC 2 Type 2 audit.

Their Type 2 attestation would have everything the Type 1 has. I mean obviously you're not being serious but I can't let that one sail by.

Right but the type 2 will prove they actually did what they promised. And yes I’m drawing it out to an absurdity.

Or they just reactivated his previously canceled account and it still had a pin associated

Thats... basically what the guy did? He just put the sessionId in the form data instead of a cookie.

> He just put the sessionId in the form data instead of a cookie.

This does not have the benefit of being usable across different tabs or even closing and re-opening the page. Besides, (a minor point) shoving all the state in the cookie makes code simple i.e. don't have use URL params.

maybe make the person solve it first, and then they can see the leaderboard / successful prompts and try to refine their answers? without being eligible for the leaderboard.

I am not good at this. I don't want to try (I tried 2 things, it just answered in Chinese...), glad the answers are there

I think part of the point is you _can't_ hear from them... because they don't have access to the real internet?

The "suspended prison sentence" part is important context too and significantly changes the effect of the sentence. I'm not sure how it works in germany, but in the U.S. it basically means "if you screw up again you're going to have to serve this sentence so be on your best behavior".

True - would've been relevant to include that.

> Congress stepping in to exclude Canada and Mexico and the NAFTA exemption cushions the blow significantly.

I know the senate voted this through. But it still has to pass the house doesn't it? I doubt it will even get to be voted on with Mike Johnson as speaker.

And even then, they’d need a 2/3 majority in both chambers to get past a Trump veto right?

There’s no way they’d get that in the house.