| ▲ | bilekas 6 hours ago | |
> it deters people like me who aren't totally confident in sending reports This is by design, you shouldn't be submitting reports on anything less than certainty. It's not the maintainers responsibility to prove out your idea. It's yours, and when you're sure, reproduceable, and documented it, then you can submit it. | ||
| ▲ | tehryanx 3 hours ago | parent [-] | |
The real problem here is that this is now the only way the maintainer/reporter can reasonably work. Proving out a security vulnerability from beginning to end is often very difficult for someone who isn't a domain expert or hasn't seen the code. Many times I've been reasonably confident that an issue was exploitable but unable to prove it, and a 10s interaction with the maintainer was enough to uncover something serious. Exhausting these report channels is making this unfeasible. But the number of issues that will go undetected, that would have been detected with minimal collaboration between the reporter and the maintainer, is going to be high. | ||