> Here's a salutary reminder why it pays to patch promptly
Shirley, in this context, that should be "pays to not patch promptly".
Here's a salutary reminder why it pays to patch promptly: a Jenkins bug patched last year became the vector for a multi-million-dollar cryptocurrency mining hijack. A campaign security researchers dubbed “JenkinsMiner” exploited CVE-2017-1000353, a deserialisation bug first disclosed with fixes by the Jenkins team in April …
This aspect of Jenkins drove me nuts at my old company. All of these plugins, half of them not actually used, coming from a community website which did not appear to be policed significantly. Known privilege escalation bugs on plugins that are highly used but not maintained. And on and on.
A tool like Jenkins is absolutely necessary, but the ecosystem was a nonstarter from a serious security standpoint. I suppose I should be looking around to see what competition there is...