What is a "proof of concept" file to report security issues?

Question

Last month I reported a security issue to Adobe through an email encrypted with PGP. I recieved the comfirmation email, but no response past that. I checked the "Alert us" page and it said that you have to send a proof of concept file. In my email, I just said what was wrong and how to get to the exploit. Did I report it the wrong way?

You've asked 2 questions: "what is a POC?" and "did I report it the wrong way?" The latter question only Adobe can answer. — schroeder, Aug 16 '15 at 03:08

score 4 · Answer 1 · answered Aug 08 '15 at 22:03

A PoC, or Proof of Concept provides a work example of the vulnerability being exploited. PoCs are provided to give concrete examples of, well, the concept. For example, I can say I have XSS on a web application, I can point to the parameter that is passed in the URL, but the PoC provides a work example of the XSS.

This is important for a few reasons. One, it provides credence to the security claims. Two, it provides those developers who have to find and fix the problem a test case so that they can track down the problem and validate the fix. Three, it's a good use of everybody's time, yours and theirs, to have a PoC.

One thing to keep in mind about PoCs is that they are not full-blown exploits, but an example of what can be done. In the XSS above, a PoC would be alert(document.domain) to show I have control over the DOM. In buffer overflows, a PoC would be getting EIP to point to 41414141.

score 1 · Answer 2 · edited Apr 09 '19 at 06:30

Did I report it the wrong way? Following the link you mentioned, it lead me to here. So I rather feel you did this:

When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.

You explained the vulnerability but a clear and precise explanation is not enough as you can read through the second item of your link:

Submit the report with a proof-of-concept file to PSIRT@adobe.com (PGP key available here).

The defintion of a POC on Wikipedia is imprecise, so I pick up that of Wikiversity:

Evidence that demonstrates that a business model or idea is feasible

This evidence can be a program you develop to perform the steps you explained showing the vulnerability. Winzapper is a freeware developed as a POC.

In simple words: you can explain that it is feasible to bake a sweet cake following a certain method. In that case, a POC will consist in baking by yourself one (or more) cake following the method you described.

What is a "proof of concept" file to report security issues?

2 Answers2