"The coder patched the problem he was submitted, he did not analyze the issue in its entirety. Then he had to patch the other part, and screwed that up so he had to re-patch. Three patches for the same thing. That is shoddy programming, because we can."
It may well be that programmer gets a set of test cases to prove problem and makes a fix to the test cases - job done, but test cases did not cover all eventualities.
Its naïve to assume the programmer has same skillset / knowledge as the attackers, so quite likely the programmer would be blissfully unaware of other attack variants.
These sort of bugs really need someone with a hacking / attacking / pen test mindset to spec the test cases that the programmers should fix.
If e.g. some of these bugs were essentially in a JS complier / engine then cannot assume the devs had deep JS knowledge. A classic comp sci uni project is (well was, back in the day when I was at uni, may have changed) to write a compiler for a language you had never used before / knew nothing about (compiler writing did use a language you knew) as a classic demonstration of working from a spec (typically would be a compiler for a "made up" language, so students could not crib stuff online)
Biting the hand that feeds IT
