friendlymessage@feddit.detoTechnology@lemmy.ml•Dev rejects CVE severity, makes his GitHub repo read-only
2·
5 months agoThe researchers need to provide proofs of concept. Actual functional exploits.
Talking in general, not for this very issue: In my experience, providing a proof of concept is often a lot harder than simply fixing the issue. For an open source project it’s probably more helpful if the reporter provides a fix or at least a recommendation on how to fix it
Yeah, I agree that any bug report on such a technical level should contain scripts or similar to reproduce the finding but that’s not the same as a full blown proof of concept exploit and I think to require an exploit sets the bar too high. A vulnerability is a vulnerability, no matter whether there’s an exploit or not. If you commission somebody to do a pentest you usually don’t get exploits either.