On Mon, 20 Dec 2021 08:50:00 +1300, Peter Reutemann quoted:
'The Log4Shell exploit "exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization," writes VentureBeat. But the incident also raises some questions: Should large deep-pocketed companies besides Google, which always seems to be heavily involved in such matters, be doing more to support the cause with people and resources?'
Apropos this, Daniel Stenberg, the creator of curl, got a detailed questionnaire from some big corp seemingly depending on his software in some capacity <https://www.theregister.com/2022/01/25/sophos_log4shell/>, demanding answers to ascertain how vulnerable his code is to Log4Shell (answer: it doesn’t use log4j at all). He replied saying, quite reasonably, they had no support contract with him, and that they need to arrange one (with suitable payment, of course), if they wanted actual help from him.