This repository hosts Proof of Concept (PoC) code for demonstrating vulnerabilities in real-world services with minimal reproduction.
PoCs are published only when at least one of the following criteria is met:
- 90-Day Rule: At least 90 days have passed since the initial vulnerability report.
- Official Patch: A formal patch and stable release have been publicly deployed by the vendor.
- Vendor Approval: The vendor (e.g., Google, GitHub, Apple, etc.) has officially reviewed, validated, or approved the disclosure of the findings.
Under no circumstances will unpatched vulnerabilities (0-days) that pose an active, unacknowledged security threat be published.
- Case studies for security research and vulnerability analysis.
- Raising security awareness among developers and security professionals.
Simplified 3-tier structure:
pocs/[Service-Name]/CWE-[ID]-[Vulnerability]/[Index]
Example:
pocs/github-desktop/CWE-078-os-injection/poc-1
Note: Vulnerability classification follows the CWE (Common Weakness Enumeration).