Understanding Vulnerability Hunting and its Challenges 

Checkmarx’s research team describes their vulnerability-hunting efforts on open-source packages, highlighting several disclosed CVEs (including critical RCE and DoS issues) and providing links to detailed analyses. The report also reviews common challenges in vulnerability triage and disclosure—such as disagreements over whether an issue is a vulnerability or a bug, responsibility for fixes, difficulty finding maintainers, validation disputes, duplicate findings, and prolonged coordination—and urges improvements to streamline disclosure processes.