Hello Michał,
Michał Majchrowicz wrote:
> Sorry for being to automatic for you :) I like to put few words before each
> advisory tough
> I have to admit I put my rambling through AI as often people have issues
> understanding me.
> I am not a native English speaker and at the same time even in my native
> language I have
> a tendency to write incoherent sentences and miss some stuff. Anyway to
> overcome my
> problems I use an „AI tool” as a kind of advanced spellchecker. Sorry if it
> annoys but it helps
> me keep things organised and overcome my limitations.
Your English is quite good; no problem with that.
I see two benefits with the approach of using AI tools for vulnerability
reporting:
- It can find bugs that a human would have needed more effort to find.
- It can add an exploit scenario. In the case of your 3 reports, we would
not have needed it, but you never know the maintainer's thinking in
advance.
And I see also one drawback:
- It is so easy to write reports that are not well founded (like your 4th
one),
that maintainers can get overwhelmed.
So, in the end, it is still your task as a reporter to focus on the real
problems
and not send reports about things which are not vulnerabilities.
> Regarding the symlink issue I was thinking in the context of recent history
> with how people
> were using Gemini CLI in the pipeline or last Shai Halud (or whatever it was
> called) attack.
> Where problems with GitHub CI process allowed attackers to leak
> authentication tokens
> and as a result gain access to repo itself. I was thinking about a scenario
> where this issue
> is used to overwrite such tokens.
The major problem here is the possibility to leak authentications.
When you have two issues that, together, allow a certain exploit, try to ask
yourself whether the first or the second one can be replaced by a similar one.
If the first issue can be combined with a multitude of second issues, the first
issue is the major problem. And vice versa.
> During my research I often encounter issues that
> whether they are security bugs or not often depends on context. My approach
> is to report them anyway and let the developer decide the impact as in most
> cases
> I don’t have enough knowledge about project internals to decide myself.
IMO, you should consider the context first. The Automake maintainers should
not need to have knowledge about GitHub or CI or similar stuff.
Bruno
