Mira has submitted https://manifold.markets/Mira/will-manifold-leak-everyones-privat-b91cb81a49c8 as evidence that this should resolve YES. Any objections?

Oh duh, yeah this market was made ages ago I forgot it counted stuff that already happened. That seems correct to me.

called it https://manifold.markets/IsaacKing/will-manifold-experience-a-serious

i think it's debatable, but lean yes? I think the attempt to pretend that my suggestion wasn't what they meant, laundered behind a joke, wasn't ideal conduct.

@IsaacKing Was it actually „personal data”?

yes

@IsaacKing just to make sure I'm understanding what happened here. This market was made a long time ago, information leaked in mid August, and then we only realized it applied to this market today?

And to be extra clear, nothing new has leaked since the linked market in August?

@zzlk I have not been informed of any new leaks, no.

(I was absent from the platform for ~4 months, so I was unaware of the earlier leaks until Mira told me.)

@IsaacKing wish that this wasnt sufficient for a resolution, I was really looking forward to what'd be presented next by Mira

The question is, how long does Mira want to wait before revealing the breach in order try to get more mana?

Do people know something I don’t?

@esusatyo I would have substantially more profit if I followed these two simple rules:

1. Don’t bet against Messi

2. Don’t bet against @Mira

@Charlie You’re right

IMO it's way too high now. Credit card numbers aren't even stored in Manifold's DB, they use Stripe. So the only option is to leak e-mail addresses? I can't think of a use case in which a bug could cause it, since users are identified by id and user name.

e-mail addresses or "etc."

Would you say the "security breach" is more important, or the "leak of people's personal information"? Is there a minimum "difficulty level" required?

i.e. suppose Manifold puts up an endpoint "/v0/credit-card-number" or starts putting email addresses in the API responses. Would that resolve this positively even though it was intentional and requires no 'hacking'?

Or if they unintentionally include email addresses in the output, patch it, but it's not like a targeted attack from a hacker - they just were careless and gave it out? Maybe it wouldn't be "serious" just because it's so easy to do.

@Mira should we be worried

@Mira a security breach does not have to be initiated or even exploited by someone external to be a serious breach imho.

Say that a backup of the database containing emails was inadvertently made public, and someone in the team figures it out and takes it offline before anyone downloads it, I'd still count that as a serious breach.

@Mira That all sounds like it would count. If they unintentionally expose user data that's still a "breach", even if it's not a "hack". If they do it intentionally... that would be weird, but I guess it still counts.

Maybe (probably not) you're talking about unlisting private markets and revealing some of them? I think it's debatable if that's a security breach.

@jacksonpolack I mean it's written in Javascript right? Even if I don't have anything now, what are the chances that it goes a whole year without getting hacked?

Semiconductor market currently redirects to a different website.

@Mira 🤔

q: would it count if someone who is not an employee at Manifold finds and reports a vuln that would have classified as a breach per rules if being exploited, but instead of being exploited it gets fixed?

@NikitaSkovoroda No, I don't think that should count.

@IsaacKing Eh

@IsaacKing Perhaps I should just make another market )