SQLi

[GordSchramm]

Is there a way that instead of "Can't reproduce vulnerability" be changed to the reason why. Case in point. I reported a vulnerability that I believed to be an SQLi. But submitted it anyway. Thing is I could have modified it for a future report if I knew it would be rejected as an SQLi rather than "Can't reproduce vulnerability". Some researchers submit reports as well to the affect of being flagged as a SQLi unintentionally, so they come onto the forum asking why and get the response of "don't except SQL injections" Fair enough, but they should know why when the report is rejected rather than asking on the forum why it was.

Regards,

[x1admin]

Is there a way that instead of "Can't reproduce vulnerability" be changed to the reason why. Case in point. I reported a vulnerability that I believed to be an SQLi. But submitted it anyway. Thing is I could have modified it for a future report if I knew it would be rejected as an SQLi rather than "Can't reproduce vulnerability". Some researchers submit reports as well to the affect of being flagged as a SQLi unintentionally, so they come onto the forum asking why and get the response of "don't except SQL injections" Fair enough, but they should know why when the report is rejected rather than asking on the forum why it was.

Regards,

Why you report sql inj vulnerability if you know what we don't accept this?

[GordSchramm]

Just to make the point I was trying to get across. It had the java script popup and if I was a researcher that thought it was an XSS vuln and submitted it not knowing it was a SQLi, I would wonder why it becomes "Can't reproduce vulnerability". I plan to modify it for another report that shows that there is an XSS vuln.

Basically, what I'm trying to say is that when these types of reports are submitted, instead of "Can't reproduce vulnerability", have the reason why like "Rejected because of SQLi".


Regards,