A simple HN-like web app that indexes security (and security adjacent) write-ups.
Imagine you, as a security researcher (or any other persona in the security field), wanted to see what prior works are available around bypassing v8 sandbox using webasm, or if what’s been done or found targeting deserialization in Go.
Using this web app, you can search the indexed and tagged write ups.
Also adding MCP support to it so your agents can search too.
Hopefully going live soon.
P.S: I said HN-like, but tbh it’s just the UI that looks a bit like HN (I’m not a good designer, so got heavy inspiration from HN listing style), otherwise there’s no other overlap in functionality yet.
Amazing idea - absolutely loving vouch.
However, as a security person, this comment immediately caught my attention.
A few things come to mind (it's late here, so apologies in advance if they're trivial and not thought through):
- Threat Actors compromising an account and use it to Vouch for another account. I have a "hunch" it could fly under the radar, though admittedly I can't see how it would be different from another rogue commit by the compromised account (hence the hunch).
- Threat actors creating fake chains of trust, working the human factor by creating fake personas and inflating stats on Github to create (fake) credibility (like how number of likes on a video can cause other people to like or not, I've noticed I may not like a video if it has a low count which I would've if it had millions - could this be applied here somehow with the threat actor's inflated repo stats?)
- Can I use this to perform a Contribution-DDOS against a specific person?
The idea is sound, and we definitely need something to address the surge in low-effort PRs, especially in the post-LLM era.
Regarding your points:
"Threat Actors compromising an account..." You're spot on. A vouch-based system inevitably puts a huge target on high-reputation accounts. They become high-value assets for account takeovers.
"Threat actors creating fake chains of trust..." This is already prevalent in the crypto landscape... we saw similar dynamics play out recently with OpenClaw. If there is a metric for trust, it will be gamed.
From my experience, you cannot successfully layer a centralized reputation system over a decentralized (open contribution) ecosystem. The reputation mechanism itself needs to be decentralized, evolving, and heuristics-based rather than static.
I actually proposed a similar heuristic approach (on a smaller scale) for the expressjs repo a few months back when they were the first to get hit by mass low-quality PRs: https://gist.github.com/freakynit/c351872e4e8f2d73e3f21c4678... (sorry, couldn;t link to original comment due to some github UI issue.. was not showing me the link)
This is a strange comment because, this is literally the world that we live in now? We just assume that everyone is vouched by someone (perhaps Github/Gitlab). Adding this layer of vouching will basically cull all of that very cheap and meaningless vouches. Now you have to work to earn the trust. And if you lose that trust, you actually lose something.
I belong to a community that uses a chain of trust like this with regards to inviting new people. The process for avoiding the bad actor chain problem is pretty trivial: If someone catches a ban, everyone downstream of them loses access pending review, and everyone upstream of them loses invite permissions, pending review. Typically, some or most of the downstream people end up quickly getting vouched for by existing members of the community, and it tends to be pretty easy to find who messed up with a poorly-vetted invite (most often, it was the person who got banned's inviter). Person with poor judgement loses their invite permissions for a bit, everyone upstream from them gets their invite permissions back.
Same thoughts here.
I gave it the benefit of the doubt, thought it might be an adoption for a specific field, or an extension of thought, or maybe a fun twist or something.
Maybe we can break out of it by giving who ever is taking accountability if that thing goes wrong a tie breaker vote, or have their votes weigh a bit more?
Just putting it here in case anyone has to do it (I hope no one ever needs it): it is NOT painful at all.
I was told “it’s like a grenade explodes in your spine” by a (stupid) friend, it caused me to refuse to do it for the first time, which if I went through with it, things would’ve been very different for me, I would’ve been diagnosed days faster.
Again, it’s NOT painful at all, they use Lidocaine, you’ll feel way less than when they draw blood from your arm.
I had one of these few weeks ago, and it was the most traumatic experience in my life. They tried 3 times, and it hurt beyond measure. The lidocaine was supposed to be the painful one, but it was like a tickle compared to the punctures.
Then I had a horrible positional headache that lasted a full week. For the whole week I could barely tolerate going to the restroom. And when laying down (only the first 2 days) it ached between my shoulder blades so bad it was painful to breathe. Then for another 3 weeks I started to feel dizzy and weak if I spent over an hour upright.
Love that you had a good experience. I perform these procedures semi-regularly, and in some cases they can be painful (even with lidocaine). Most people tolerate them very well though, I usually compare it to the pain of an IV stick, which most people have already tolerated, but which can also cause some people a surprising amount of distress.
I had one and they Let me walk the next day to other diagnostics, had about 6 months severe headaches afterwards which only were bearable when lying down flat. Glad it went away, finally. If I remember correcly you should stay in bed for 48h after the procedure.
Yes, the possibility of severe and prolonged headaches are part of my consent for this procedure. That said, I'm usually only performing the procedure to help exclude (or confirm) a medical condition with risk of permanent disability or death, so it can be a tough decision at times.
I am glad you had a good experience. For me it was the most scary medical experience I've ever had. I think they hit a nerve because i felt my foot involuntarly cramping. The feeling is hard to describe. Also I lost vision completely for a minute. I was fine after though, just a little weak.
They are spamming other websites with links to my website like in your example. Google crawl those other websites, follow the spammy link to mine, and I get penalized for having a page with spam content.
The solution is to tell the crawler that my search page shouldn't be indexed. This can be done with the robots meta tags.
My two problems with access through libraries is lack of app access, and that every time I login, all my progress is gone (not reset to cover - gone gone), and I have to find the resource again, open it and go to the page/time I was at. Also can’t create my own playlist or favorites.
One feedback I have is that the instant I get the combination correct and complete a challenge, it suddenly pops up a “congratulations” message with a button to go to the next level, I can’t see my final solution.
I really want to take a few seconds to see my final solution, study, understand and admire it.
And that’s why email compromises are so dangerous- aside from all different accesses tied to emails, there’s also a wealth of information inside the inbox.
Imagine you, as a security researcher (or any other persona in the security field), wanted to see what prior works are available around bypassing v8 sandbox using webasm, or if what’s been done or found targeting deserialization in Go.
Using this web app, you can search the indexed and tagged write ups.
Also adding MCP support to it so your agents can search too.
Hopefully going live soon.
P.S: I said HN-like, but tbh it’s just the UI that looks a bit like HN (I’m not a good designer, so got heavy inspiration from HN listing style), otherwise there’s no other overlap in functionality yet.
reply