github · gagliardetto · Jun 10, 2021 · Jun 10, 2021 · Jun 10, 2021 · Jun 10, 2021
diff --git a/.github/ISSUE_TEMPLATE/all-for-one.md b/.github/ISSUE_TEMPLATE/all-for-one.md
@@ -1,32 +1,87 @@
 ---
 name: All for One, One For All bounty submission
 about: Submit a CodeQL query for the All For One, One For All bounty (https://securitylab.github.com/bounties)
-title: "[USERNAME]: [SUMMARY]"
+title: "[TARGET-LANGUAGE]: [SUMMARY]"
 labels: All For One
 assignees: ''
 
 ---
 
-## Query
+## 1. Query
 
-*Link to pull request with your CodeQL query:*
+### Instructions ❓
+
+Link to pull request with your CodeQL query:
+
+### Your answer 👇
 
 Relevant PR: https://github.com/github/codeql/pull/nnnn
 
-## CVE ID(s)
+## 2. Report
+
+### Instructions ❓
+
+Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
+
+### Your answer 👇 (you can ignore the suggested format)
+
+1. What is the vulnerability?
+	- Answer: ...
+1. How does the vulnerability work?
+	- Answer: ...
+1. What strategy do you use in your query to find the vulnerability?
+	- Answer: ...
+1. How have you reduced the number of **false positives**?
+	- Answer: ...	
+1. Etc.
-1. Etc.
+1. Other information?
-1. Etc.
+1. Other information?
+	- Answer: ...
+
+## 3. Social
+
+### Instructions ❓
+
+Are you planning to discuss your query publicly? (Blog Post, social networks, etc).
+
+**We would love to [help you] spread the word about the good work you are doing.**
+
+### Your answer 👇
+
+- [ ] Yes
+- [ ] No
+- [ ] Yes, I already have: [link](link)
+
-## 3. Social
-
-### Instructions ❓
-
-Are you planning to discuss your query publicly? (Blog Post, social networks, etc).
-
-**We would love to [help you] spread the word about the good work you are doing.**
-
-### Your answer 👇
-
- [ ] Yes
- [ ] No
- [ ] Yes, I already have: [link](link)
-## 3. Social
-
-### Instructions ❓
-
-Are you planning to discuss your query publicly? (Blog Post, social networks, etc).
-
-**We would love to [help you] spread the word about the good work you are doing.**
-
-### Your answer 👇
-
- [ ] Yes
- [ ] No
- [ ] Yes, I already have: [link](link)
+## 4. Result(s)
+
+### Instructions ❓
+
+- Provide at least one useful result found by your query, on some revision of a real project.
- Provide at least one useful result found by your query, on some revision of a real project.
+- Provide at least one useful result found by your query, on some revision of a real project, under the form of a list of CVEs.
- Provide at least one useful result found by your query, on some revision of a real project.
+- Provide at least one useful result found by your query, on some revision of a real project, under the form of a list of CVEs.
+- If the result(s) is **fixed and disclosed**, then you can link it in this PR.
+- If the result(s) is **NOT** fixed **nor disclosed**, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result) or on the [Security Lab slack](https://ghsecuritylab.slack.com/) sending it to `@TODO`.
- If the result(s) is **NOT** fixed **nor disclosed**, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result) or on the [Security Lab slack](https://ghsecuritylab.slack.com/) sending it to `@TODO`.
+- If the result(s) is **NOT YET** fixed **nor disclosed**, and you are still waiting for a CVE, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result)
- If the result(s) is **NOT** fixed **nor disclosed**, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result) or on the [Security Lab slack](https://ghsecuritylab.slack.com/) sending it to `@TODO`.
+- If the result(s) is **NOT YET** fixed **nor disclosed**, and you are still waiting for a CVE, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result)
+- Even though your query is **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects.
- Even though your query is **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects.
+- Even though the vulnerabilities found by your query might be **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects.
- Even though your query is **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects.
+- Even though the vulnerabilities found by your query might be **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects.
+- We understand that contacting maintainers of all the vulnerable repositories found by your query is a hard and lenghty process, and that's why we will add a bonus if you will do that **for at least X repositories** and get a [CVE assigned for them].
- We understand that contacting maintainers of all the vulnerable repositories found by your query is a hard and lenghty process, and that's why we will add a bonus if you will do that **for at least X repositories** and get a [CVE assigned for them].
- We understand that contacting maintainers of all the vulnerable repositories found by your query is a hard and lenghty process, and that's why we will add a bonus if you will do that **for at least X repositories** and get a [CVE assigned for them].
+- Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us.
- Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us.
+- We're here for **securing open source at scale** and if your query finds many vulnerable repositories, requiring a big coordinated disclosure, let's discuss and work together.
- Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us.
+- We're here for **securing open source at scale** and if your query finds many vulnerable repositories, requiring a big coordinated disclosure, let's discuss and work together.
+- But in any case, we need proof that you **did your own reaserch** on [real projects], and succeeded in finding at least one **true positive result [through your query]**, proving that is it a **real vulnerability** that happens in real apps (and not a baseless assumption).
- But in any case, we need proof that you **did your own reaserch** on [real projects], and succeeded in finding at least one **true positive result [through your query]**, proving that is it a **real vulnerability** that happens in real apps (and not a baseless assumption).
+- If for some reason you cannot provide a CVE, but if you can provide evidence that your query found at least one **real security vulnerability** and if you are confident that the pattern can be found in open source projects, please provide these elements.
- But in any case, we need proof that you **did your own reaserch** on [real projects], and succeeded in finding at least one **true positive result [through your query]**, proving that is it a **real vulnerability** that happens in real apps (and not a baseless assumption).
+- If for some reason you cannot provide a CVE, but if you can provide evidence that your query found at least one **real security vulnerability** and if you are confident that the pattern can be found in open source projects, please provide these elements.
+
+### Your answer 👇 (select one)
-### Your answer 👇 (select one)
+### Your answer 👇 
-### Your answer 👇 (select one)
+### Your answer 👇 
+
-
+- Existing CVEs that my query would have been able to find if they weren't already fixed:
+	1. CVE-20nn-nnnnn
+
+- Vulnerabilities that my query found and then resulted in a CVE:
+	1. CVE-20nn-nnnnn	
+
+  **OR**
-
+- Existing CVEs that my query would have been able to find if they weren't already fixed:
+	1. CVE-20nn-nnnnn
+
+- Vulnerabilities that my query found and then resulted in a CVE:
+	1. CVE-20nn-nnnnn	
+
+  **OR**
+- [ ] I will provide the result(s) **privately** to the Security Lab.
+
+**OR**
-**OR**
-**OR**
 
-*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).*
+- [ ] The vulnerability is already **fixed and disclosed**.
+	- Description: URL to vulnerable code
- [ ] The vulnerability is already **fixed and disclosed**.
-	- Description: URL to vulnerable code
- [ ] The vulnerability is already **fixed and disclosed**.
-	- Description: URL to vulnerable code
 
-- CVE-20nn-nnnnn
+## 5. CVE ID(s)
-## 5. CVE ID(s)
-## 5. CVE ID(s)
 
-## Report
+### Instructions ❓
-### Instructions ❓
-### Instructions ❓
 
-*Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.*
+List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).
-List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).
-List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).
 
-- [ ] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*
 
-## Result(s)
+### Your answer 👇
-### Your answer 👇
-### Your answer 👇
 
-*Provide at least one useful result found by your query, on some revision of a real project.*
+- Existing CVEs that my query would have been able to find if they weren't already fixed:
+	1. CVE-20nn-nnnnn
- Existing CVEs that my query would have been able to find if they weren't already fixed:
-	1. CVE-20nn-nnnnn
- Existing CVEs that my query would have been able to find if they weren't already fixed:
-	1. CVE-20nn-nnnnn
 
-- [description](url)
+- Vulnerabilities that my query found and then resulted in a CVE:
+	1. CVE-20nn-nnnnn	
- Vulnerabilities that my query found and then resulted in a CVE:
-	1. CVE-20nn-nnnnn	
+## 3. Social
+
+### Instructions ❓
+
+Are you planning to discuss your query publicly? (Blog Post, social networks, etc).
+
+**We would love to [help you] spread the word about the good work you are doing.**
+
+### Your answer 👇
+
+- [ ] Yes
+- [ ] No
+- [ ] Yes, I already have: [link](link)
+
- Vulnerabilities that my query found and then resulted in a CVE:
-	1. CVE-20nn-nnnnn	
+## 3. Social
+
+### Instructions ❓
+
+Are you planning to discuss your query publicly? (Blog Post, social networks, etc).
+
+**We would love to [help you] spread the word about the good work you are doing.**
+
+### Your answer 👇
+
+- [ ] Yes
+- [ ] No
+- [ ] Yes, I already have: [link](link)
+