Read on Twitter
Pro-tip to all security researchers. Never do this. This is exactly the shit that causes a big rift between developers and security researchers. It's simply insulting to developers time to drop such a useless list of bugs on them. https://twitter.com/dotMudge/status/1321530604148707331
This is clearly a crash grab to get some PR and turn it into funding. The value of these bugs is incredibly low. It's the sort of pass-in-a-corrupted-argv sort of bullshit that isn't even a security surface. Most of these packages are not maintained.
This is such a waste of time on both the researchers part (in conducting this "research"), and of the developers time to click WONTFIX on all the boxes. It's not impressive to find bugs like this. These are not security boundaries, these are not maintained packages...
It's cyber-security theatre. A single Chrome bug would be far more impressive than this entire list by an absolute landslide. I don't fault the researchers who work on stuff like this, but management and leadership that encourages shit-throwing like this.
You can just see how little care there is in actually having an impact, as there's no attempt to polish reports, support developers in fixes (beyond "email us if you need some help"). Can't wait to see how pissed off this makes developers. Don't. Do. This.
This is like someone running AFL on all of the students assignments from your university. Many of these projects are not written by developers, are not maintained by anyone, and are often someones "first try" at programming.
Ugh. Please discourage and don't be impressed by "research" like this. There are likely good nuggets in the strategies and research that went into producing this, I don't doubt that. But, this is purely a show to impress people.
We'll continue to see shit like this if people keep promoting this style of work. If you find yourself automating the release of bug reports without human interaction, seriously consider the impact it has on developers. It is very hard to dedup bugs and not waste time.
There are tasteful ways to do automated bug reporting. Often it's with a system that is genuinely interested in improving reports and the software. This pretty much always requires consenting projects and bi-directional, high-bandwidth communication between devs and researchers
For amazing examples, look at OSS-fuzz. The followup, the consideration of developers time, the prioritization of bugs and acceptance of things not being surface is extremely important to making development machinery work correctly.
As a researcher, your goal should be impact. Yeeting bugs on someone who hasn't asked for it, and then dipping. Is just fucking infuriating. It shows a complete disregard to actually having an impact with the work that is being done. And I don't doubt they have some good tech
