[strunz]

Eh, part of assessing the vulnerability is how deep it goes. Showing that there were no gates or roadblocks to accessing all the data is a valid thing to research, otherwise they can later say "oh we hade rate limiting in place" or "we had network vulnerability scanners which would've prevented a wholesale leak".

[ofjcihen]

That’s not how web app vulnerabilities work and it would be easy to counter that handwaving with “hackers know what FireProx is”.

[SeaScythes]

Hey there--pentester, security researcher, and bug bounty hunter here.

"Demonstrating impact" is common practice. The presence (or non-presence) of rate limiting controls, such as those alluded to by the commenter above, can play into the risk assigned to a vulnerability, and may be difficult to ascertain without actually attempting an otherwise theoretical attack. This also has the effect of indicating whether the target has adequate detection capabilities, which is important information.

Demonstrating impact is also just sometimes necessary to convey urgency to leadership; hand waving is common. Alternatively, some organizations may silently patch without performing a responsible disclosure, such as was the case with this article. Having hard proof that the attack was 1) viable and 2) not detected is critical information in the event that you must disclose to the public.

As an aside, from your history:

> My one gripe with HN is that people say incorrect things with complete confidence pretty regularly and you can only Detect it if you know the subject matter.

Welcome to being part of the problem. Remember the feeling.

[ofjcihen]

Also a security professional, pentester, bug bounty hunter, multitude of other irrelevant self-imposed titles owner here.

You’ve demonstrated impact by small amounts of enumeration. If you had any real experience in bug bounty contracts you would know 2 things:

Almost all contracts ask you not to enumerate the entire data set as 2 or 3 records is enough (again, that’s how security controls work) and no one is interested in hearing about rate-limiting on public bounties. Pentesting sure, but that’s not what we’re talking about.

Source, 2 decades in the security industry at large in all kinds of positions.

And a note for future reference. If you think I’m out of line for my snark then don’t give what you can’t take.

Edit: Oh, and as someone on both sides of the fence enumerating an entire data set against scope is in the top ten reasons people get booted from programs. To anyone else seeing this chain: don’t do it. YOU DO NOT NEED TO TO PROVE IMPACT. Respect people’s privacy.