Summary
Usually, when a bug becomes a known issue or has been reported by a whitehat, the project submits a patch fixing the bug. However, sometimes a fix can be ineffective, because it does not solve the problem or may even introduce new attack vectors.
An example of a project fix unintentionally introducing a new attack vector can be seen here.
In general, if you find that you can bypass these “fixes” you should report the bug, as they are still live bugs that may cause damage to the protocol and its users.
Can I report a bug that was found in past audit(s) of the project but was left unfixed?
Yes, but the project can close your report as a known issue without payment, even if the bug was left unfixed. Sometimes projects receive audit reports highlighting low-severity bugs that they don’t care about fixing or intend to fix later. Other times implementing a fix requires other serious changes which inhibits a project from easily fixing the bug itself
Can I report a bug that was "fixed", but the fix didn't actually fix all means of exploiting the bug?
Yes. A bug that was found previously but not effectively fixed should be reported, as it is still a live bug that needs to be fixed and could cause harm to the protocol and its users.
And if the fix did not cover all of the impacts, you should report the bug for the impacts it still causes, since the fix did not address all of them.
Can I report a bug that was “fixed”, but the fix introduced new bugs?
Yes. New bugs coming from a “fix” are valid as long as it is in scope according to the bug bounty program. For bug bounty programs using Primacy of Impact, you should report it as long as the bug impacts funds.
When reporting for Primacy of Impact, you should also include a PoC with your bug report in order to illustrate the impact of the bug.
I submitted a bug that was paid and the team said they would fix it, but have not done so. Can I report it again?
No, the responsibility is now on the project to fix the bug. The bug counts as a known issue and has already been paid for. However, if you’d like, you can still highlight privately in the bug report that this bug still exists as a reminder for the project to fix it quickly. You won’t be paid twice for the same finding.
Comments
0 comments
Article is closed for comments.