| ▲ | anArbitraryOne 9 hours ago | |||||||
Nice. But it deters people like me who aren't totally confident in sending reports, trading false positives for false negatives | ||||||||
| ▲ | grayhatter 2 hours ago | parent | next [-] | |||||||
> Nice. But it deters people like me who aren't totally confident in sending reports, trading false positives for false negatives There's no such thing as a reasonable "false positive" on a security report. There is such a thing as a false positive on a bug report. (A real bug, that happens to have no security impact, is still a true positive, just without a security risk) If you can make it crash, or behave incorrectly, or have some repeatable, weird behavior; but you have no idea how you could exploit that for an articulable advantage, or access to the system you shouldn't have. What you have is a bug, not a security issue. You can, and should submit a bug report. Then, critically; "if you waste our time" seems to be an important part of the statement. If you don't know, you suspect it's a security bug because you shouldn't be able to do this, and it is leaking information that you think is suspicious, and you can easily demonstrate that you can make it happen on demand. And you report that bug, and make it easy for them to understand and either confirm the security, or reject because [reason]. You haven't wasted anyone's time and this wouldn't apply to your bug. | ||||||||
| ▲ | bilekas 8 hours ago | parent | prev [-] | |||||||
> it deters people like me who aren't totally confident in sending reports This is by design, you shouldn't be submitting reports on anything less than certainty. It's not the maintainers responsibility to prove out your idea. It's yours, and when you're sure, reproduceable, and documented it, then you can submit it. | ||||||||
| ||||||||