> However, things get annoying once something ends up on some priority list (like the Known Exploited Vulnerabilities list from CISA), you ship the software in a much older version, and there is no reproducer
There are known exploited vulnerabilities without PoC? TIL and that doesn't sound fun at all indeed.
Distribution maintainers who do the backports do not necessarily have access to this kind of information. My impression is that open sharing of in-the-wild exploits isn't something that happens regularly anymore (if it ever did), but I'm very much out of the loop these days.
And access to the reproducer is merely a replacement for lack of public vulnerability-to-commit mapping for software that has a public version control repository.
It used to happen, I'd say less than 5% of the total vuln reproducers are probably 'shared' at this point.
At last count I'd written close to 2000 reproducers and approx 400 of those were local privesc for product security.
Security teams are usually highly discouraged from sharing exploits/reproducers as they have leaked in the past. My spectre/meltdown ended up on the web and someone else took credit, sad.
There are known exploited vulnerabilities without PoC? TIL and that doesn't sound fun at all indeed.