Due to complexity and limited auditing a number of vulnerabilites have slipped through again & again, like zero-click exploits for example. Take a look at the sear volume of CVEs and more importantly what they entail.
While they do eventually get found & patched, its not ideal compared to other messaging apps like signal that are very much security first, features 2nd.
A lot of people(normies), especially Apple users tend to think it’s super secure virtually impenetrable technology.
The sheer volume of cves is not necessarily an indicator for insecurity. The CVE system is pretty bad and rulings are mostly arbitrary. For example, there was a recent curl “CVE”, where an overflow happened in some part of the app which was not relevant to security. I don’t remember the details, but the only solution to this apperent mess was that the main contributor of curl is becoming one of the guys that evaluate CVEs.
CVE is a measure for the US government, and always assumes the worst in any case.
I know what curl CVE you’re referring too.
Yeah, that was pretty stupid, they marked it high severity when 1 It was already patched like a year prior and 2 it was a complete non-issue in the first place.
Then some fuckin AI put forth another bogus CVE based on the one you’re referring.
The curl dev was pissed, and rightfully so.
And You’re right, it’s more so the details of the CVEs that’s important then the actual CVEs themselves.
How so?
Due to complexity and limited auditing a number of vulnerabilites have slipped through again & again, like zero-click exploits for example. Take a look at the sear volume of CVEs and more importantly what they entail. While they do eventually get found & patched, its not ideal compared to other messaging apps like signal that are very much security first, features 2nd.
A lot of people(normies), especially Apple users tend to think it’s super secure virtually impenetrable technology.
The sheer volume of cves is not necessarily an indicator for insecurity. The CVE system is pretty bad and rulings are mostly arbitrary. For example, there was a recent curl “CVE”, where an overflow happened in some part of the app which was not relevant to security. I don’t remember the details, but the only solution to this apperent mess was that the main contributor of curl is becoming one of the guys that evaluate CVEs.
CVE is a measure for the US government, and always assumes the worst in any case.
That being said, I agree with you.
I know what curl CVE you’re referring too.
Yeah, that was pretty stupid, they marked it high severity when 1 It was already patched like a year prior and 2 it was a complete non-issue in the first place.
Then some fuckin AI put forth another bogus CVE based on the one you’re referring.
The curl dev was pissed, and rightfully so.
And You’re right, it’s more so the details of the CVEs that’s important then the actual CVEs themselves.