Open psmoros opened 2 years ago
From @geeknik:
Hi, I think it would make proper sense to add a "Security Advisory" field to bug reports likely to receive a CVE. This field would be editable by the researcher and the maintainer and allow for the discussion and formatting of a proper security advisory. The value in a CVE being written which only says "xxx is vulnerable to yyy" is low, and I feel that adding the ability for us to write up a simple root cause analysis can go a long way. 1024 characters or less, we don't need a novel, if it's that big of a deal, include a link to a proper write-up. Comments separate from the bug report and hidden from public view (?), discussions about the root cause aren't necessarily that interesting to outside parties, plus if there is a proper write-up, that will be way better to read. Once the "Publish" button is clicked by the maintainer, who in the end is the absolute authority over their own code, the advisory gets posted, the report goes public, everyone gets paid and we move on to the next report. Thoughts?
If I may leave another suggestion, maybe a link to some educational material next to the Advisory field for those folks who have never had to write an advisory before? For instance: https://cveproject.github.io/docs/content/key-details-phrasing.pdf
Pitch
Clarification: this feature doesn't include the ability for users to edit the summary of their reports on the huntr platform. If you guys want that, please feel free to open another issue.