This issue has absolutely no impact, for example H1 even mostly marks such reports as N/A.
It can be solved with a simple regex that marks reports containing certain keywords as potentially non-impactful with further manual review and 0 payout in case.
Actually reports without impact or even just non-security issues look like a big problem. Of course some of them may be fixed like it happened with HTTP-only cookies story, but mostly solution is not that simple. I have a few thoughts as I've got experience being a security analyst aka triager, so I'll be glad to contribute this community!
In a recent time I see way too much reports about CSRF on logout, here are some really fresh ones: https://huntr.dev/bounties/77559ff3-0494-4186-b6e9-c4146bedc0df/ https://huntr.dev/bounties/e20fc1c1-3b42-4900-9983-7afa36cb681c/ https://huntr.dev/bounties/7b58c160-bb62-45fe-ad1f-38354378b89e/ https://huntr.dev/bounties/9bb65f17-957c-403f-9ef8-fda74cfa9f79/ https://huntr.dev/bounties/81838575-e170-41fb-b451-92c1c8aab092/ https://huntr.dev/bounties/bd2e0e97-086a-4b74-b9d2-f589ceb8dc64/ https://huntr.dev/bounties/62408fa4-2c16-4fcd-8b34-41fcdccb779e/
This issue has absolutely no impact, for example H1 even mostly marks such reports as N/A. It can be solved with a simple regex that marks reports containing certain keywords as potentially non-impactful with further manual review and 0 payout in case. Actually reports without impact or even just non-security issues look like a big problem. Of course some of them may be fixed like it happened with
HTTP-only cookiesstory, but mostly solution is not that simple. I have a few thoughts as I've got experience being a security analyst aka triager, so I'll be glad to contribute this community!