I'm on the security team for multiple open source projects with ~medium levels of report volume. Over the years, you notice patterns in how reporters try to have a report accepted as a vulnerability in the project.

One pattern that I see frequently is submitting proof-of-concept code that itself contains the vulnerability. However, the project code is also used in the snippet, so the reporters try to convince you that the vulnerability is in the project code.

Here’s a short post about this pattern, how to reason about it, and some recommendations to reduce the energy cost for these types of reports on open source projects.

Read more: https://sethmlarson.dev/the-vulnerability-is-in-the-proof-of-concept