Comment by jedberg
5 years ago
This reminds me of the constant "security reports" I get.
"Changing the email doesn't expire the session on your web app". Should it? The email isn't the login, why should the session expire? It should expire on password change, maybe username change (but even then, why?). It's just a bunch of spam templates basically from people who don't really even understand the reports they are making.
And then they ask for public recognition so they can get points on one of those public security leaderboards.
Got similar from the security department of my previous company. Every time a new gadget was found in Jackson that allowed RCE if you turned on the feature to instantiate arbitrary classes based on user input (which is clearly documented with warnings in Jackson and was linted against being enabled in our internal rules _anyway_), we would get a ticket that we had 24 hours to update to the new Jackson version which just added that to their blacklist of classes not to be instantiated.
"Prototype pollution" from transitive dependencies of our frontend build scripts in node was another one where we would get spam security issues, though thankfully without the same tight deadline.
Now imagine how much worse it would be if some company decided to "help" infosec by giving away a free t-shirt for filing 4 "security reports" whether or not they were valid.