Brian, Joe: so you both agree this is not a vulnerability, but by (admittedly weak) design ? And that it should definitely be strengthened in future revisions of the API ?
If yes, I'd suggest that we open this bug as a known and wanted security improvement, rather than keep it embargoed as an exploitable vulnerability.
Brian, Joe: so you both agree this is not a vulnerability, but by (admittedly weak) design ? And that it should definitely be strengthened in future revisions of the API ?
If yes, I'd suggest that we open this bug as a known and wanted security improvement, rather than keep it embargoed as an exploitable vulnerability.
Alessio: would that work for you ?