alt Hacker NewsAlmost three years ago now, Railway poached one of our smartest engineers. They were smart to do so. I have a lot of respect for the Railway team and I’m impressed with their execution.
I think this is their first major security incident. Good that they are transparent about it.
If possible (@justjake) it would be helpful to understand if there was a QA/test process before the release was pushed. I presume there was, so the question is why this was not caught. Was this just an untested part of the codebase?
We indeed run tests as well as stage releases. For this issue, when rubber met road in production, we saw cases which weren't visible in staging.
We've rolled out some changes (detailed in the blogpost) which should avoid this in the future. Deepest apologies