Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
childofhedgehog 6 hours ago

> However, this ongoing incident has been tagged as an advisory, a flag commonly used to describe service issues typically involving limited scope or impact.

How is having Copilot breach trust and privacy an “advisory”? Am I missing something?

dijit 5 hours ago | parent | next [-]

Advisory doesn't have the same meaning in security research as it does in the english language.

Unfortunately "Advisory" is a report written about a security incident, like an official statement about the bug, it's impact, and how to fix it -- which differs from the english meaning... it's not meant to mean to "advise" people or to "take something" under "advisory" (which, is a very soft statement typically).

lich_king 4 hours ago | parent | prev | next [-]

The LLM that wrote this nearly content-free story doesn't know what it's talking about.

The basic distinction in the infosec industry is that advisories are what you publish to tell customers that you had a bug in your product that might have exposed them or their data to attacks and you want them to take some specific action (e.g., upgrade a package, review logs); while an incident report is what you publish when you know that the damage happened, it involved your infrastructure, and you want to share some details about happened and how you're going to prevent it from happening again.

Because the latter invites a lot more public attention and regulatory scrutiny, a company like Microsoft will go out of their way to stick to advisories whenever possible (or just keep incidents under wraps). It might have happened at some points in their history, but off the top of my head, I don't recall Microsoft ever publishing a first-party security incident report.

layer8 5 hours ago | parent | prev | next [-]

https://www.merriam-webster.com/dictionary/advise meaning 2: to give information or notice to : INFORM

An advisory gives notice and/or warns about something, and may give recommendations on possible actions (but doesn’t have to).

_verandaguy 4 hours ago | parent [-]

Words have multiple meanings depending on context, and here it's at best ambiguous. In the context of security incidents, logging, auditing, etc., "advisory" is often used as a severity level (and one of the lower ones at that).

So, yes, technically, it's de-facto advisory to publish this information, but assigning "advisory" as a severity tag here is questionable.

bpodgursky 3 hours ago | parent | prev [-]

If you inflate severity, people simply ignore incident warnings.

What's the actual action needed here by a security team? None. You can hate it or not care but the end of the day there's no remediation or imminent harm, just a potential issue with DLP policies. Don't make it look like a 0-day that they actually have to deal with.