a big one.

Not a save exploit not a way for people to launch unsigned code oh no protect us from the evil modders..

Can't they fix things that matter like all the missing abilities and stats that = Null.

Nope Actual game don't matter.

It's only to hotfix the vulnerability issue with mods and saves.

My game stopped working since I installed this patch. Black screen after cliking on Play from the game lauching menu...
https://youtu.be/NeIfKVEs9tI

That's something anyway. I don't plan on playing the game again until they get it together if ever.

Yes, days late. They should have released this hours after PixelRick found it.

Instead, they tried to throw modders under the bus. I guess you could call me one of those CDPR fanboys, but this kind of bs starts to really bug me. Are they really trying to deliberately piss off fans?

It doesn't work like that for big projects, there usually a whole "pipeline" you have to respect before releasing a new version into the wild, even a fix that takes 5 minutes might requires several days before it become available depending of the project and the complexity of the process. Ok, this one got me scratching my head; How exactly ? They said Which part of that is "throw modders under the bus" exactly ? You can often blame CDPR and Gog for not being the best at communication but here you really need to grasp at industrial sided straws to find it as being an attack on moders ?

There is a vulnerability, don't download files, be it saves or mods, from untrusted sources, sounds like common sense to me.

This is a huge security risk. Normally you would put all effort on this one, even if it means halting other development.

There are games that have gotten patches for smaller issues in mere hours. The latest that I can think of is a small game, small team, so of course they could, but still, CrazyBunch released LSL:WDDT and ... I think achievements didn't work. Some thing didn't work. 2 or 3 hours later there was a patch to fix it.

Of course you can't really compare things like this; one bug is not the same as another bug. Some take more time, some take less. The pipeline should bend when high priority cases come at the door. They probably have some sort of priority system for their bugs and new features. Bugs probably have higher priority than new features at the moment. This vulnerability should have been an immediate show stopper/blocker. yamasushi said it better than I.
https://forums.cdprojektred.com/index.php?threads/solved-important-pc-version-vulnerability.11078852/#post-12855656

Except it is not, It would be a huge security risk if it allowed to peoples to remotely access your computer or something like that, but here for it to be a risk you need to manually download a file from an untrusted source and install it/load it, by definition doing that is in itself a security risk. The risk is the same as downloading a crack or a trainer from an unknown source. Except he doesn't say anything, he said modder are being blamed but doesn't give a single example or even any argument as to why he consider it to be the case. There is nothing in CDPR statement blaming mods or modders.

Yes, this kind of thinking is exactly what CDPR's statement is promoting. Equating cracks and mods. This is what annoys me with the whole thing. You hit the nail on the head. It leads you to believe modders are these crackhackers, and if you have read any news article about you know this is exactly how media ran with it.

Yes, there's risks and then there's risks. If you have ever published any mods anywhere you know they are quite tenaciously curated. I have published one simple batch file that enables or disables mods and holy moly was that curated. I had to submit revisions before I was allowed to publish it. I was disabling one mod file that does not need to be disabled, for example, and that alone was enough to reject the batch file. Not because it would make any real difference in any direction, but because it was modifying files that weren't necessary to be modified. So even if the mod does something that does not affect anything, it's still rejected if it is not absolutely necessary to do so.

These mod sites are slightly different than going to some random website and downloading some random thing.

Just implying "watch out for mods" does not discriminate between legitimate sites and some random sites somewhere. But of course if there is a huge security risk, when they leave doors wide open, you should suspect all mods until it is fixed. Which is again, they should have released this hotfix waaaaay sooner. Not just fearmonger about modders.

I am starting to think you are not even trying to understand.

You didn't read yamasushi's post, did you? The way they worded it was saying "watch out for mods", not "we have a security leak so some external files may be used..." That can be taken as them implying they are not at fault. It was a security risk in their part of the game that modders should not even have access to. They did not communicate this.

They gave the implication to media to make those clickbait articles. It is on CDPR.

Perhaps we just have a different definition of honesty. For me honesty is not only that you say things that are technically true. I count implying something although you do not directly say it as dishonest. I count leaving vital information out as dishonest.

Did you read what they said ? (emphasis mine) How do you read that and translate that to "you shouldn't download any mods even from legit, well know and trusted sites" ? If they had said it then maybe you might have had a point but it's not the case.

I did but I think that he is just straw-maning and reading too much in what they said.

What do you think "We've been made aware of a vulnerability in external DLL files the game uses which can be used to execute code on PCs." means ?

They are using some methods in Microsoft API (i.e. in an external DLL) that is know to be able to be used for buffer overflow exploit, and it's not even a bug it's by design, here they forgot to put the code to prevent it. The only way to take advantage of this possible exploit is if you run mods or load a tempered save file, if you don't you don't risk anything and never will, no matter if you are offline / online. The security risk only exists if you download tampered mods or saves.

Remember also that it was a warning for lambda users, not a three pages essay on software security, they had to keep it short and easy to understand for everybody, so simply saying "For now don't download stuff from un-trusted sites" was probably the best way to do so.

They never said / imply it was moders faults, never said / imply that you shouldn't download any mods, never said / imply that stuff you can find on Nexus or other well know modding site was unsafe.

CDPR

Before a patch is considered they have to draft a story of lies and deception to tell everyone then not deliver on any of it.