Giter Site home page Giter Site logo

Comments (6)

tooryx avatar tooryx commented on May 31, 2024

Hi @frkngksl,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!

from tsunami-security-scanner-plugins.

frkngksl avatar frkngksl commented on May 31, 2024

Hi @tooryx, I submitted the detector and docker files. Thanks in advance.

from tsunami-security-scanner-plugins.

frkngksl avatar frkngksl commented on May 31, 2024

Hi @maoning, Is this issue can be counted as an AI PRP now?

from tsunami-security-scanner-plugins.

maoning avatar maoning commented on May 31, 2024

@frkngksl I just noticed that your request here overlaps with an existing AI plugin request #428. It's my fault of not noticing the overlap. I hope by using the new ai-bounty-prp tag, it would prevent similar issue from happening.

As the #428 has RCE verification, I will merge in that one instead. However I will make sure your other PRs are timely reviewed.

from tsunami-security-scanner-plugins.

frkngksl avatar frkngksl commented on May 31, 2024

Hi @maoning, that issue was accepted last month and the CVE was specific for the lack of authentication in the experimental API. It is true that it can be combined with another CVE for RCE (as specified in the other issue RCE is valid for very specific DAG) but this API provides other functionalities. In my opinion, this should be considered as seperate, otherwise it is a little bit unfair (with all my respect) because I developed a plugin after getting an approval from you.

from tsunami-security-scanner-plugins.

maoning avatar maoning commented on May 31, 2024

@frkngksl I would definitely want to prevent this from happening in the future and will discuss this with the entire review panel. You effort here is recognized.

In general, we prefer RCE based vuln verification for Tsunami plugins, while it's not always possible, we lean more towards finding fewer critical bugs than producing too many findings.

from tsunami-security-scanner-plugins.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.