0x2b3bfa0
commented
3 months ago Thanks for the report, @h2oa! Unfortunately, it seems like we can't access it on huntr.com due to lack of permissions, like in other report you submitted previously.
Closed h2oa closed 3 months ago
0x2b3bfa0
commented
3 months ago Thanks for the report, @h2oa! Unfortunately, it seems like we can't access it on huntr.com due to lack of permissions, like in other report you submitted previously.
h2oa
commented
3 months ago Hi @0x2b3bfa0,
Yes, the vulnerability issue will occur if a pull request is accepted by someone. Therefore, in my report at huntr.com, the User interaction field has the value Required. Can you notify to the admin of huntr.com to consider and change my report on huntr.com to valid, this will help me receive a reward commensurate with my efforts to find vulnerabilities. Thanks a lot!
Your product is running a bug bounty program on the huntr.com platform, so I believe you have the authority to request permission from the huntr.com admin to view the report details.
Best regards, @h2oa
0x2b3bfa0
commented
3 months ago Your product is running a bug bounty program on the huntr.com platform, so I believe you have the authority to request permission from the huntr.com admin to view the report details.
Thanks for clarifying this, @h2oa! Our only official bug bounty program is this one, and we aren't affiliated in any way with huntr.com; I'm trying to contact them, hoping to find out how to access and triage those reports.
0x2b3bfa0
commented
3 months ago Yes, the vulnerability issue will occur if a pull request is accepted by someone.
If someone managed to trick us into accepting a malicious pull request[^1] they could find a thousand more subtle and more impactful ways of executing code than this one, e.g. adding a malicious dependency to package-lock.json
[^1]: It's already too hard to get a legitimate pull request accepted, let alone a malicious one. 🙈
Hi cml security team,
I submitted a report of vulnerability on huntr.com. I see your product run a bug bounty program on this platform. You can connect to the huntr admin to see details of the report at https://huntr.com/bounties/2113dbb3-8427-4b77-913a-15a95bf68922. This pull request is a patch for this vulnerability. Because this is a dangerous vulnerability, please consider it as quickly as possible!