• friendlymessage@feddit.de
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    5 months ago

    The researchers need to provide proofs of concept. Actual functional exploits.

    Talking in general, not for this very issue: In my experience, providing a proof of concept is often a lot harder than simply fixing the issue. For an open source project it’s probably more helpful if the reporter provides a fix or at least a recommendation on how to fix it

    • treadful
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      Even if you’re poking at a black box and are reporting that “it acts funny when I poke it this way.” I’m my opinion, a reporter should send along a script or at least explicit instructions on how to repro.

      I take the report more serious since it demonstrates you have an understanding of the issue or exploit. It will also save my time and it’s likely a trivial effort for the reporter since they’ve the context and knowledge of the issue loaded up and ready to go.

      • friendlymessage@feddit.de
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        Yeah, I agree that any bug report on such a technical level should contain scripts or similar to reproduce the finding but that’s not the same as a full blown proof of concept exploit and I think to require an exploit sets the bar too high. A vulnerability is a vulnerability, no matter whether there’s an exploit or not. If you commission somebody to do a pentest you usually don’t get exploits either.