I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature.
I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.
It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling
(If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)
Really? That's the fix?
A proper fix is to use "--" to separate arguments.
Refactoring external invocations to use safe argument handling is a better way to fix it. Along with tests that exercise weird names.