"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."

Let me guess though. They are SOC2 and ISO compliant right ?

▲

sailfast 5 hours ago | parent | next [-]

One hopes not as this stuff would have come up in even a cursory audit of the product - but it’s kinda like Ratings Agencies / Moody’s in 2008 right now until a big breach that occurs post-cert and they lose their credibility.

	▲	zbentley 5 hours ago \| parent [-]
		The number of FISMA-HIGH, ATO’d/RMF’d, security audited government systems I’ve seen with equivalent security issues is…substantially nonzero. I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless. Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams I’ve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.

▲

5 hours ago | parent | prev [-]

[deleted]