Closed h2oa closed 3 months ago
Thanks for the report, @h2oa! Unfortunately, it seems like we can't access it on huntr.com due to lack of permissions, like in other report you submitted previously.
Hi @0x2b3bfa0,
Yes, the vulnerability issue will occur if a pull request is accepted by someone. Therefore, in my report at huntr.com, the User interaction
field has the value Required
. Can you notify to the admin of huntr.com to consider and change my report on huntr.com to valid, this will help me receive a reward commensurate with my efforts to find vulnerabilities. Thanks a lot!
Your product is running a bug bounty program on the huntr.com platform, so I believe you have the authority to request permission from the huntr.com admin to view the report details.
Best regards, @h2oa
Your product is running a bug bounty program on the huntr.com platform, so I believe you have the authority to request permission from the huntr.com admin to view the report details.
Thanks for clarifying this, @h2oa! Our only official bug bounty program is this one, and we aren't affiliated in any way with huntr.com; I'm trying to contact them, hoping to find out how to access and triage those reports.
Yes, the vulnerability issue will occur if a pull request is accepted by someone.
If someone managed to trick us into accepting a malicious pull request[^1] they could find a thousand more subtle and more impactful ways of executing code than this one, e.g. adding a malicious dependency to package-lock.json
[^1]: It's already too hard to get a legitimate pull request accepted, let alone a malicious one. 🙈
Hi cml security team,
I submitted a report of vulnerability on huntr.com. I see your product run a bug bounty program on this platform. You can connect to the huntr admin to see details of the report at https://huntr.com/bounties/2113dbb3-8427-4b77-913a-15a95bf68922. This pull request is a patch for this vulnerability. Because this is a dangerous vulnerability, please consider it as quickly as possible!