This tweet is asking a question about whether a WAF (Web Application Firewall) bypass alone counts as a valid security report or if it only matters when it leads to a more critical vulnerability. The user also mentions that they will obviously try to escalate the impact but wants to know if reporting a bypass by itself is worthwhile, especially if it is due to poor implementation.
In simple terms, a WAF bypass means finding a way to get malicious traffic past the firewall that is meant to stop attacks. Even if this bypass does not immediately lead to a direct exploit or critical vulnerability, it can be important to report because it shows a weakness in the security setup. Poorly implemented protections can allow attackers to eventually exploit something more serious.
Therefore, while escalating to more critical vulnerabilities is ideal, reporting a WAF bypass is still valuable. It helps the vendor improve their product and fix potential gaps before attackers can take advantage.
Original tweet: https://twitter.com/0xPira/status/2043116407219462162