It’s only a matter of time until there will be a CVE found in the official Mastodon software which will leave a vast majority of instances vulnerable.
PoC or shut your fucking face.
The cool thing about software is that it can be updated, so if someone finds a vulnerability and follows the proper CVE disclosure process, instance admins can just update immediately when it’s disclosed.
I guess it’s a little trickier because open source software can’t really say “fix a vulnerability that hasn’t been disclosed yet” in a commit message without disclosing the bug, and instances can’t just be silently updated before disclosure, but I’m sure there are other ways to handle CVEs that don’t rely on information obfuscation.
Seems like a lot of words just to say that running servers (I mean instances) is too expensive to be self sustaining. I’m not smart enough to know if that’s true or not.
I host my own Lemmy and Mastodon instances. It’s hard to say what I actually pay because I use the server for a lot of things but I guess the monthly price per user is about 1$ or less. The bigger instances are of course more expensive. That is why it is important to spread out communities across instances.
