Fix 21 SEVERE+HIGH correctness errors (surgical, audit-driven)#33
Merged
Conversation
Second accuracy pass from the multi-agent audit — the confirmed correctness errors in otherwise-adequate/strong skills (the weakest 15 were PR #32). Same pipeline: surgical fix → adversarial verify → hand-correct. 14/21 verifier-clean; 3 flagged (bugcrowd §8.1 stale ordering, meme-coin SUAVE overstatement, hunt-saml partial) all hand-corrected. Diffs are intentionally small (182+/132−). SEVERE — fabrications / wrong identifiers: - okta-attack: fabricated `CVE-2024-VERIFY` -> real CVE-2024-10327 (Okta Verify iOS push-notification bypass; web-verified on NVD) - enterprise-vpn-attack: `CVE-2024-46805` -> CVE-2023-46805 (Ivanti, the real number) - supply-chain-attack-recon: SUNBURST no longer mislabeled CVE-2020-10148; cite CISA AA20-352A - meme-coin-audit: removed invented "35%/25%/20%" stats + phantom tool refs; SUAVE de-overstated - hunt-subdomain: removed an UNVERIFIABLE HackerOne report id (#1487793) — kept the technique - bugcrowd-reporting: fixed backwards chain-submission UUID ordering (§5.1 AND §8.1) - hunt-business-logic: corrected the "HMAC replay with modified payload bypasses" claim HIGH — stale facts / backwards logic / class conflations: - hunt-xss (removed-2019 Chrome XSS Auditor), hunt-xxe (.NET XmlReader DtdProcessing default), triage-validation (CVSS vectors recomputed), hunt-ssti/hunt-springboot (backwards `#{7*7}` logic), hunt-open-redirect (CRLF != open-redirect), hunt-saml (gzip/comment-injection corrected; description de-overclaimed), hunt-cache-poison, hunt-mfa-bypass, hunt-nextjs, redteam-mindset, vmware-vcenter-attack, mid-engagement-ir-detection, hunt-sharepoint. Anti-fabrication enforced: every added identifier is a well-known real CVE (Ivanti 2023-46805, Next.js 2024-34351, SharePoint ToolShell 2025-49704/49706, ruby-saml 2017-11428, Okta 2024-10327) or a real advisory (CISA AA20-352A); the one unverifiable HackerOne id was removed, not kept. All 71 lint clean (incl. the new YAML-safety check), descriptions <=1024, bodies <=500. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Second accuracy pass from the multi-agent audit: the 21 confirmed correctness errors in otherwise-adequate/strong skills (the weakest-15 were #32). Same pipeline — surgical fix → adversarial verify → hand-correct — but tuned to touch only the confirmed error (diffs are deliberately tiny: 182+/132− across 21 files). 14/21 came back verifier-clean; 3 were flagged and hand-corrected.
🔴 SEVERE — fabrications / wrong identifiers
okta-attackCVE-2024-VERIFY→ realCVE-2024-10327(Okta Verify iOS push bypass, verified on NVD)enterprise-vpn-attackCVE-2024-46805→CVE-2023-46805(Ivanti, the real number)supply-chain-attack-reconCVE-2020-10148; cite CISA AA20-352Ameme-coin-audithunt-subdomain#1487793) — kept the techniquebugcrowd-reportinghunt-business-logic🟠 HIGH — stale facts / backwards logic / class conflations (14)
hunt-xss(removed-2019 XSS Auditor),hunt-xxe(.NET XmlReader default),triage-validation(CVSS vectors recomputed),hunt-ssti/hunt-springboot(backwards#{7*7}),hunt-open-redirect(CRLF≠open-redirect),hunt-saml(gzip/comment-injection + de-overclaimed description),hunt-cache-poison,hunt-mfa-bypass,hunt-nextjs,redteam-mindset,vmware-vcenter-attack,mid-engagement-ir-detection,hunt-sharepoint.What the adversarial verifier caught (and I hand-fixed)
bugcrowd-reporting— §5.1 fixed but §8.1 left contradicting it → updated §8.1 toomeme-coin-audit— fixer introduced "Flashbots SUAVE as live 2026 infra" (it's testnet) → removedhunt-saml—needs-rework: core fixes good, but description still over-claimed XSW1-XSW8 / "real paid examples" → trimmed to match the bodyAnti-fabrication
Every added identifier is a well-known real CVE or a real advisory (verified the two riskiest —
CVE-2024-10327,CVE-2023-46805— and removed the one unverifiable HackerOne id rather than keep it).Gates: all 71 lint-clean (incl. the YAML-safety check), descriptions ≤1024, bodies ≤500.