![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://spgrn.com/api/v3/image_proxy?url=https%3A%2F%2Flemmy.ml%2Fpictrs%2Fimage%2F2QNz7bkA1V.png)
The researchers need to provide proofs of concept. Actual functional exploits.
Talking in general, not for this very issue: In my experience, providing a proof of concept is often a lot harder than simply fixing the issue. For an open source project it’s probably more helpful if the reporter provides a fix or at least a recommendation on how to fix it
Yeah, I agree that any bug report on such a technical level should contain scripts or similar to reproduce the finding but that’s not the same as a full blown proof of concept exploit and I think to require an exploit sets the bar too high. A vulnerability is a vulnerability, no matter whether there’s an exploit or not. If you commission somebody to do a pentest you usually don’t get exploits either.