sethmlarson.dev

Archives
Log in
Subscribe
August 27, 2025

The vulnerability might be in the proof-of-concept

I'm on the security team for multiple open source projects with ~medium levels of report volume. Over the years, you notice patterns in how reporters try to have a report accepted as a vulnerability in the project.

One pattern that I see frequently is submitting proof-of-concept code that itself contains the vulnerability. However, the project code is also used in the snippet, so the reporters try to convince you that the vulnerability is in the project code.

Here’s a short post about this pattern, how to reason about it, and some recommendations to reduce the energy cost for these types of reports on open source projects.

Read more: https://sethmlarson.dev/the-vulnerability-is-in-the-proof-of-concept

Don't miss what's next. Subscribe to sethmlarson.dev:
← Newer Draft SMS and iMessage from any computer keyboard Older → Did you know about SMS URLs?

Add a comment:

You're not signed in. Posting this comment will subscribe you to this newsletter with the email address you enter below.
Share this email:
Share on Hacker News Share on Reddit Share via email Share on Mastodon Share on Bluesky
sethmlarson.dev
Bluesky
Mastodon
Powered by Buttondown, the easiest way to start and grow your newsletter.