What is considered as a valid *POC*....!

[byte-dev404]

Hey guys...!
So from past few days I have been looking at various Nuclei Templates Repo's issues and one thing in particular I found very confusing.
That is how maintainers decided weather a POC is VALID to then verify the effectiveness of the template.

At the time of writing I have read the contribution docs thrice looked at various issues and pull requests (both merged and closed) and still haven't been able to came to a conclusion that defines a set of rules or principles.

But in all that research, I have noticed few things which I like to mention to avoid waste of effort of my fellow contributors.

• The first and most Important thing I noticed was maintainers never accepts self craft vulnerable mock labs as they can be crafted specially to prove the template valid instead of testing the template, and I 100% agree with that but Calling them AI simulated feels wrong.

• Second thing I noticed is maintainers always require you to give them a VALID POC (usually a docker file) to test your template against.
And most of the time it is not faceable to get a POC like that, resulting in lots of PR getting closed and waste of effort from both sides (maintainers and contributors), But the real question is, Aren't these Docker labs also Simulated...?, I mean OF COURSE everyone knows that they are not real sites, someone has made them for testing purpose, So then Why our labs get called out AI mock while those are Valid POC?

• Lastly this is just a tip for fellow contributors, Before Writing a Single line of code/template/yaml, Get A valid POC and make sure the maintainers will accept it, otherwise most probably your work is also gonna go in thrash.

From my understanding there's a huge lack of set of principles/rules for validating the template itself and the POCs used to validate the template.
So that's all I have to say, If you think I'm wrong at point or have answer to any of the questions I asked above, I'd Love to here a response from you.

bye have a great day.

[ehsandeep]

@byte-dev404 thanks for asking! If you’re referring to submissions that are part of the template reward program, the requirements are different - if not, let me know if you're talking about a specific example.

To clarify:

1. Reward programs (require POC for verification)
   For bounty/reward submissions we do have strict rules (see Community Rewards FAQ). Contributors are required to share a POC upfront.

2. What counts as a valid POC

   • Public/testable instance - a live URL where the template can be verified.
   • Local/testable setup - a reproducible environment (Dockerfile, docker-compose, install script) that installs the actual vulnerable version of the application, not just a stub that mimics a response.
   • POC delivery (required): POCs must be emailed to [email protected].

3. Why "mock" labs are rejected
   The key difference is whether the environment runs a real vulnerable app or just simulates the expected output. If it's the latter, we can't confirm the template works in the real world / vulnerable application. If your Docker/VM setup installs the real vulnerable app version, it’s considered valid.

If you have an example where your POC was marked invalid but you believe it followed these rules, please share the link, happy to review and clarify.

And most of the time it is not faceable to get a POC like that, resulting in lots of PR getting closed and waste of effort from both sides (maintainers and contributors), But the real question is, Aren't these Docker labs also Simulated...?, I mean OF COURSE everyone knows that they are not real sites, someone has made them for testing purpose, So then Why our labs get called out AI mock while those are Valid POC?

On your point about Docker labs vs mock setups, this is important: since a valid POC is required to accept a submission, it makes sense to pick/filter CVEs where a reproducible setup is actually possible. Not every CVE is reproducible in practice, and those can be skipped.

Note: All templates accepted as part of the reward program have included reproducible setup details sent over email.