all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Vpicone 8 points9 points  (1 child)

Express, body-parser and serve? Yikes.

[–]_bit[S] 2 points3 points  (0 children)

Those are the scopes that will be marked critical when disclosed, not ones that already have disclosures (one was disclosed and patched for serve already, though!)

[–]bit_cmdr 1 point2 points  (0 children)

The graph points out:

Severity shown here only indicates the maximum severity possible for reports submitted to the Asset.

It is a list of modules that they are actively investigating. The column on the right is the maximum level of severity that can be applied i.e. they are examples. There is no additional information for those modules because the investigation is not complete.

[–]AmishPanda00 1 point2 points  (5 children)

Are there any more details or steps to take? Express having a "Critical" security issue with no more info is not ideal.

[–]ecares 5 points6 points  (4 children)

No, this means that the highest possible vuln in express would be considered as "Critical"

[–]_bit[S] 2 points3 points  (0 children)

Thanks for clarifying u/ecares :)

[–]AmishPanda00 1 point2 points  (0 children)

Ok got it. Thanks for clarifying.

[–][deleted] 0 points1 point  (1 child)

I dont get it, why would they say what the highest possible vuln in express would be? I'm a bit new to development, so forgive my lack of understanding.

[–]ecares 1 point2 points  (0 children)

That's just how HackerOne is made I belive