Update all-for-one.md#382
Closed
gagliardetto wants to merge 4 commits intogithub:mainfrom
Closed
Conversation
Contributor
Author
|
You can see a preview of the template here: https://github.com/gagliardetto/securitylab/blob/patch-2/.github/ISSUE_TEMPLATE/all-for-one.md |
xcorail
requested changes
Jul 22, 2021
Contributor
xcorail
left a comment
xcorail
left a comment
There was a problem hiding this comment.
Hey @gagliardetto thanks for this PR
Sorry for all the suggestions, it's a bit messy but TL;DR is
- Move back the CVE requirement up into the Results section
- Move down the social section
- Align the Results section instructions to the CVE requirement
Let's iterate after this first pass, as all the suggestions make the PR difficult to read
Comment on lines
+39
to
+52
| ## 3. Social | ||
|
|
||
| ### Instructions ❓ | ||
|
|
||
| Are you planning to discuss your query publicly? (Blog Post, social networks, etc). | ||
|
|
||
| **We would love to [help you] spread the word about the good work you are doing.** | ||
|
|
||
| ### Your answer 👇 | ||
|
|
||
| - [ ] Yes | ||
| - [ ] No | ||
| - [ ] Yes, I already have: [link](link) | ||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
| ## 3. Social | |
| ### Instructions ❓ | |
| Are you planning to discuss your query publicly? (Blog Post, social networks, etc). | |
| **We would love to [help you] spread the word about the good work you are doing.** | |
| ### Your answer 👇 | |
| - [ ] Yes | |
| - [ ] No | |
| - [ ] Yes, I already have: [link](link) |
| - Description: URL to vulnerable code | ||
|
|
||
| - CVE-20nn-nnnnn | ||
| ## 5. CVE ID(s) |
Contributor
There was a problem hiding this comment.
Suggested change
| ## 5. CVE ID(s) |
| ## 5. CVE ID(s) | ||
|
|
||
| ## Report | ||
| ### Instructions ❓ |
Contributor
There was a problem hiding this comment.
Suggested change
| ### Instructions ❓ |
| ### Instructions ❓ | ||
|
|
||
| *Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.* | ||
| List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories). |
Contributor
There was a problem hiding this comment.
Suggested change
| List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories). |
| - [ ] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing* | ||
|
|
||
| ## Result(s) | ||
| ### Your answer 👇 |
Contributor
There was a problem hiding this comment.
Suggested change
| ### Your answer 👇 |
| - Answer: ... | ||
| 1. How have you reduced the number of **false positives**? | ||
| - Answer: ... | ||
| 1. Etc. |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. Etc. | |
| 1. Other information? |
Comment on lines
+71
to
+72
| - [ ] The vulnerability is already **fixed and disclosed**. | ||
| - Description: URL to vulnerable code |
Contributor
There was a problem hiding this comment.
Suggested change
| - [ ] The vulnerability is already **fixed and disclosed**. | |
| - Description: URL to vulnerable code |
|
|
||
| - [ ] I will provide the result(s) **privately** to the Security Lab. | ||
|
|
||
| **OR** |
| - Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us. | ||
| - But in any case, we need proof that you **did your own reaserch** on [real projects], and succeeded in finding at least one **true positive result [through your query]**, proving that is it a **real vulnerability** that happens in real apps (and not a baseless assumption). | ||
|
|
||
| ### Your answer 👇 (select one) |
Contributor
There was a problem hiding this comment.
Suggested change
| ### Your answer 👇 (select one) | |
| ### Your answer 👇 |
| - But in any case, we need proof that you **did your own reaserch** on [real projects], and succeeded in finding at least one **true positive result [through your query]**, proving that is it a **real vulnerability** that happens in real apps (and not a baseless assumption). | ||
|
|
||
| ### Your answer 👇 (select one) | ||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
| - Existing CVEs that my query would have been able to find if they weren't already fixed: | |
| 1. CVE-20nn-nnnnn | |
| - Vulnerabilities that my query found and then resulted in a CVE: | |
| 1. CVE-20nn-nnnnn | |
| **OR** |
Contributor
|
👋🏾 @gagliardetto cc @pwntester |
Contributor
Author
|
Thank you @xcorail ! Sorry, I completely forgot about this one. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is a draft of how I would address the major points of confusion for bug bounty application submitters, and remove obstacles that might discourage and create friction for anyone considering to write and submit a query.
Preview: https://github.com/gagliardetto/securitylab/blob/patch-2/.github/ISSUE_TEMPLATE/all-for-one.md