There are enough blog posts about the infamous Shellshock bug already, but this is one about how it affects you, SpiderOak user. If Shellshock or bash don’t ring a bell, let’s just say it’s a bug in a core software that lives in a lot of machines around the world.

This bug in itself is not really problematic, but when we see how other software uses this bash thing, the picture can get really dark.


As I said, the point of this post is not to write page after page about possible exploitations of the bug or anything like that. It’s about letting all our users know that we are on top of it. As soon as we heard about the bug, we did the first update available everywhere. So far, I believe we’ve updated three times, but I may have lost count. We’ve received a lot of support questions about this issue, and I’m glad that the answer to all of them is the same: we’ve patched all our servers.


There is one thing I would like to take a moment to reflect on, and that is responsible disclosure. This bug is a great example of how things can go wrong with a security vulnerability. So far the timeline has been something along the lines of:

Granted, it’s a really complex thing to fix. However, all the above steps that happened in public should have happened behind closed doors to prevent all this update and exploitation madness.

Vulnerability disclosure can be really tricky, and I know the people behind this particular case did a very good job. This is not a rant towards them but rather an observation from the outside. Do we need to include more security researchers in the disclosure procedure to avoid more “false positive” fixes?

This past year proved that we will continue to see a lot of vulnerabilities with really huge impact. We need to have all details specified when they go public.