• friendlymessage@feddit.de
    link
    fedilink
    arrow-up
    2
    ·
    6 months ago

    Yeah, I agree that any bug report on such a technical level should contain scripts or similar to reproduce the finding but that’s not the same as a full blown proof of concept exploit and I think to require an exploit sets the bar too high. A vulnerability is a vulnerability, no matter whether there’s an exploit or not. If you commission somebody to do a pentest you usually don’t get exploits either.