This tweet discusses the idea of reporting a security issue related to WAF (Web Application Firewall) bypass. The author questions if the issue is already reportable since it relies solely on the WAF for protection. They also understand the desire for more details or evidence before receiving a higher bounty. The suggestion is to raise a report now and update it later if a bypass is successfully demonstrated.
In simple terms, the tweet points out that even if a WAF is the only defense in place, it might still be worth reporting any potential bypass or weakness. However, the severity and bounty might depend on whether a practical bypass can be shown. Submitting an initial report and then updating it after successful bypass could be a strategic approach.
Since the vendor, exact payload, and specific vulnerability type are not mentioned, this serves as a general commentary on the WAF bypass reporting process rather than a technical analysis of a particular bypass.
Original tweet: https://twitter.com/mrdami3n/status/2045894475831034215