I have seen my fair share of strange reactions and rejections by bugbounty plattforms, but this is new: Rejected, because the report mentions a CVE. No, I have no idea what they are thinking. (I can only guess that they get lots of low quality reports from automated tools mentioning CVEs. But the idea that a security report that mentions a CVE is invalid is... whatever...)
@hanno agreed. As someone who receives quite a few such reports, I can say that reporters often and quite legitimately refer to other and previous CVEs in their reports when backing up statements and comparing with previous problems etc...
Add comment