At What Point Does a Known Vulnerability Stop Being a Duplicate?
Hi! I’m looking for some advice from people who have bug bounty experience.
I found an application-specific parsing inconsistency in an image-fetch feature. Because the main validation logic and a legacy fallback path handle things differently, it’s possible to get around some of the intended URL validation checks and access functionality that normally wouldn’t be reachable.
The fallback component uses a very old version of a third-party library that has publicly known security issues.
I’m not really asking about exploitation itself, but rather whether it’s worth developing a working RCE for this if the outcome could still be a duplicate.
In your experience, how do bug bounty programs usually look at findings where:
The reachability issue is application-specific.
The downstream component contains known public vulnerabilities.
The application’s own logic is what makes the vulnerable code path reachable.
I’m mainly trying to understand when a vulnerability gets marked as a duplicate if it is based on known vulnerabilities.