F5 says hackers stole undisclosed BIG-IP flaws, source code

Original Article ↗ Hacker News Discussion ↗

Undisclosed vulnerabilities & internal practices

  • Commenters infer attackers accessed F5’s internal dev systems and documentation, including notes on unfixed, undisclosed BIG-IP bugs.
  • People joke that attackers could just search for “TODO” or “here be dragons” in the codebase or bug trackers.
  • There is criticism that a major security vendor with military and large-enterprise customers is apparently sitting on known issues rather than fixing them promptly.

“Nation-state actor” framing

  • Many see “highly sophisticated nation-state threat actor” as PR spin to make the breach sound less like corporate incompetence and more like an unavoidable force majeure.
  • Others counter that state-backed hacking programs are real, heavily funded, and materially harder to defend against.
  • Several note the phrase is routinely used in incident reports as a “get out of jail free” card for executives and to reduce perceived negligence, not to inform the public.
  • Some argue attribution still matters: crime gangs vs espionage actors imply very different follow-up investigations and risk models.

Centralized TLS decryption / BIG-IP as critical infrastructure

  • BIG-IP’s role in DPI, TLS termination, CAC/mTLS, and sensitive services (e.g., tokenization for payments, military networks) makes these vulns especially dangerous.
  • Strong criticism of centralized TLS decryption: it creates a massive point of failure and effectively pre-installs “Eve’s tools” for future attackers.
  • Others note a tradeoff: visibility for detection vs increased systemic risk.

Trust in F5’s statements & technical response

  • Skepticism toward claims that exfiltrated vulns haven’t been exploited and that the supply chain wasn’t compromised, especially given long-term undetected access.
  • Lawyered phrases like “no knowledge” and “not aware” are seen as carefully crafted to admit almost any reality.
  • Rotation of signing keys and a broad CISA directive (“mitigate F5 devices”) are read as signals of serious impact and possibly a push to phase out affected products.

Disclosure timing & incentives

  • The ~67-day delay between breach discovery and public disclosure draws criticism.
  • Explanations raised include: law enforcement requests for silence, weakened legal consequences for breaches, and enterprise vendors preferring quiet remediation via private channels.
  • Some see this as part of a broader pattern where brand damage and legal risk are low enough that transparency is not incentivized.

Security industry & toolchain risks

  • Irony is noted that a major “cybersecurity” provider was deeply compromised.
  • Discussion broadens to third-party agents and monitoring tools as de facto backdoors: they run everywhere, have high privileges, and send data offsite.
  • This breach is cited as a concrete argument against government-mandated backdoors and against over-centralized security infrastructures.