There’s a give-and-take here, where disclosing the vulnerable should be done soon enough to be responsible to affected users, but not so late that it’s seen as pandering to the vendor.

We’ve already seen how much vendors drag their feet when they are given time to fix a vuln before the disclosure, and almost all the major vendors have tried to pull this move where they keep delaying fix unless it becomes public.

Synology hasn’t been very reactive to fixing CVEs unless they’re very public. One nasty vulnerability in the old DSM 6 was found at a hackathon by a researcher (I’ll edit and post the number later), but the fix wasn’t included in the main update stream, you had to go get the patch manually and apply it.

Vendors must have their feet held to the fire on vulns, or they don’t bother doing anything.

Jeff Geerling and Craft Computing have recently reviewer these units on YouTube and they’re fairly optimistic about them.

Do you have xattr fixed for the underlying zfs?

I know this is a joke, but honestly, this would support the artist more than the past 75 years of labels and streaming corps, which is IMO high seas piracy in itself.

Whoah, dude.

Not only are you being told what could have and will ward off unplanned breakage, but you have somehow characterised yourself as an unsuspecting victim here? Inaccurate and really inappropriate comparison.

You knew enough to take on deploying a service, now comes the grown-up part where you hedge against broken updates.