see: http://www.freedom-to-tinker.com/blog/felten/how-yahoo-could-have-protec...
Yahoo could also have followed Gmail's lead, and disabled the security-question mechanism unless no logged-in user had accessed the account for five days. This clever trick prevents password "recovery" when there is evidence that somebody who knows the password is actively using the account. If the legitimate user loses the password and doesn't have an alternative email account, he has to wait five days before recovering the password, but this seems like a small price to pay for the extra security.
Drupal's password recovery mechanism doesn't have all the weaknesses that Yahoo's does, but given that Word Press's was recently exploited, it seems a pretty reasonable thing to consider limits - or at least a hook through which contrib modules could add limits.
For example - disable one-time link requests for users logged in within the last 24 hours.
Postponed
11.0 🔥
Last updated
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
aheydarya: Don't open a merge request without adding any code. Delay opening the request until you have created the code you want merged.
Creating empty merge requests gets you branded as a spammer and shall not result in an issue credit being given.