Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Report Template proposition

See original GitHub issue

Hi Guys,

There is a report template put in when you choose to submit new vulnerability report to Node.js Ecosystem Bug Bounty Program.

I think it can be tuned up a little bit 😉

Here’s my proposition (this is exactly the same template I am using to report to your program).

Why tho?

I found that current template contains some unnecessary sections. For example, an Impact which is now a separate field in Report form itself, so there is no need to put twice the same information.

Also, Summary and Description looks to me like something what can be merged into one, where vulnerability can be described.

Report Template proposition

So, making long story short - here’s proposed template:

There is [VULNERABILITY] in [MODULE]
It allows [WHAT IT ALLOWS - EG. READ ARBITRARY FILES, READ DATA FROM DATABASE ETC.]

## Module

**[MODULE NAME]**

[DESCRIPTION - JUST FOR REFERENCE; COPIED FROM NPM MODULE PAGE]

https://www.npmjs.com/package/[MODULE NAME]

version: [MODULE VERSION]

Stats
1 downloads in the last day
10 downloads in the last week
100 downloads in the last month

~1200 estimated downloads per year [JUST FOR REFERENCE,  ~DOWNLOADS PER MONTH*12]

## Description

[DESCRIPTION ABOUT HOW VULNERABILITY WAS FOUND AND HOW IT CAN BE EXPLOITED, HOW IT HARMS PACKAGE USERS (DATA MODIFICATION/LOST, SYSTEM ACCESS, OTHER]

## Steps To Reproduce:

[DETAILED STEPS TO REPRODUCE WITH ALL REQUIRED REFERENCES/STEPS/COMMANDS. IF THERE IS ANY EXPLOIT CODE ORE REFERENCE TO THE PACKAGE SOURCE CODE - THIS IS THE PLACE WHERE IT SHOULD BE PUT]

## Supporting Material/References:

[ALL TECHNICAL INFORMATION ABOUT STACK WHERE VULNERABILITY WAS FOUND GOES HERE]:

- [OPERATING SYSTEM VERSION - MANDATORY]
- [NODEJS VERSION - MANDATORY]
- [NPM VERSION - MANDATORY]
- [BROWSERS VERSIONS, IF APPLICABLE] 
- [OTHER SOFTWARE USED TO EXPLOIT VULNERABILITY AND THEIR VERSIONS, IF APPLICABLE]

## Wrap up

[HUNTER'S COMMENTS AND FUNNY MEMES GOES HERE]

Anyhting missed?

Is there anything from your point of view which I’ve missed here and you think it should be added? Please feel free to put any ideas in the comments 😃

Regards,

Rafal ‘bl4de’ Janicki

Issue Analytics

State:
Created 6 years ago
Reactions:1
Comments:18 (15 by maintainers)

Top GitHub Comments

1reaction

lirantalcommented, Feb 23, 2018

Make sense. I also updated the markdown headers a bit to make more sense so that there’s one head section for the module information and the 2nd for the vulnerability information.

I updated my comment here: https://github.com/nodejs/security-wg/issues/114#issuecomment-364238635 with the proposed changed (but I also updated it on the H1 report form already 😉 )

1reaction

vdeturckheimcommented, Feb 18, 2018

Aweosme, thanks @lirantal !