I don't buy this line of reasoning. There are zero/one day vulnerabilities that will get extra time to spread. Also, if everyone switches to the same cooldown, wouldn't this just postpone the discovery of future Shai-Huluds?

I guess the latter point depends on how are Shai-Huluds detected. If they are discovered by downstreams of libraries, or worse users, then it will do nothing.

▲

hyperpape 3 hours ago | parent | next [-]

For zero/one days, the trick is that you'd pair dependency cooldowns with automatic scanning for vulnerable dependencies.

And in the cases where you have vulnerable dependencies, you'd force update them before the cooldown period had expired, while leaving everything else you can in place.

▲

__s 5 hours ago | parent | prev | next [-]

There are companies like Helix Guard scanning registries. They advertise static analysis / LLM analysis, but honeypot instances can also install packages & detect certain files like cloud configs being accessed

▲

Yokohiii 3 hours ago | parent [-]

But relying on the goodwill of commercial sec vendors is it's own infrastructure risk.

	▲	perlgeek an hour ago \| parent \| next [-]
		You can also pay a commercial sec vendor if you don't want to rely on their goodwill.
	▲	limagnolia 2 hours ago \| parent \| prev [-]
		So don't rely on their goodwill? Instead, pay them, under a contract.. or do it yourself.

▲

wavemode 2 hours ago | parent | prev [-]

Your line of reasoning only makes sense if literally almost all developers in the world adopt cooldowns, and adopt the same cooldown.

That would be a level of mass participation yet unseen by mankind (in anything, much less something as subjective as software development). I think we're fine.