Ars Technica News<p>Open source project curl is sick of users submitting “AI slop” vulnerabilities <a href="https://arstechni.ca/LAhpm" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arstechni.ca/LAhpm</span><span class="invisible"></span></a> <a href="https://c.im/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilities</span></a> <a href="https://c.im/tags/bugreports" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugreports</span></a> <a href="https://c.im/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> <a href="https://c.im/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://c.im/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tech</span></a> <a href="https://c.im/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://c.im/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a></p>
mastodon.zunda.ninja is one of the many independent Mastodon servers you can use to participate in the fediverse.
Zundon is a single user instance as home of @zundan as well as a test bed for changes of the code.
Administered by:
Server stats:
1active users
mastodon.zunda.ninja: About · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.5.0-alpha.1+afcae57e-ruby-3.4.5
#hackerone
0 posts · 0 participants · 0 posts today
daniel:// stenberg://<p>I mentioned the <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> AI slop thing on <a href="https://mastodon.social/tags/LinkedIn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LinkedIn</span></a></p>
Harry Sintonen<p>Why does the <a href="https://infosec.exchange/tags/AISlop" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AISlop</span></a> problem exist at <a href="https://infosec.exchange/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> (and likely other bug bounty platforms)?</p><p>Because apparently it works: <a href="https://hackerone.com/evilginx/hacktivity?type=user" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackerone.com/evilginx/hacktiv</span><span class="invisible">ity?type=user</span></a></p><p>It seems that some projects pay bounties for such AI Slop reports.</p>
daniel:// stenberg://<p>While I can't be 100% sure, we (<a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a>) count 8 "AI slop" <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> submissions so far, which also makes it roughly 8% of the submissions over the last year as we get around 100 submissions per year right now. It makes it roughly as common as we get legitimate security problems reported.</p>
daniel:// stenberg://<p>Round two in our fun game: "slop or not?"</p><p>(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)</p><p><a href="https://hackerone.com/reports/2912277" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2912277</span><span class="invisible"></span></a></p><p><a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a></p>
Harry Sintonen<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> Good. This is a real problem and if they don't address it, it may end up hurting them in the end. If <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackerone</span></a> is just full of AI "researches" posting endless AI slop reports, their clients will move on.</p>
Harry Sintonen<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> "it rather seems that AI slop now can help lazy incompetent researchers trick the system."</p><p>Any AI slop should result in immediate ban or zeroing of the reputation.</p><p>Will we see something like this from <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackerone</span></a>? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.</p>
daniel:// stenberg://<p>Here's a link to today's AI slop <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report. Freshly disclosed: <a href="https://hackerone.com/reports/2887487" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2887487</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>Marking them as spam now. <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> (AI slop as "security vulnerability reports")</p>
daniel:// stenberg://<p>Also <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a>: please STOP pushing your silly AI features to me. I don't care.</p>
daniel:// stenberg://<p>The original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report for <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a>'s CVE-2024-7264: ASN.1 date parser overread is now published:</p><p><a href="https://hackerone.com/reports/2629968" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2629968</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>it has been nearly three months since the last valid <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a></p><p>Just saying.</p><p>I bet you can't find anything to report.</p><p>🤠</p>
Harry Sintonen<p><a href="https://infosec.exchange/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> project is so effective in resolving reports they've broken <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackerone</span></a> <a href="https://hackerone.com/curl/policy_scopes" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackerone.com/curl/policy_scop</span><span class="invisible">es</span></a></p>
daniel:// stenberg://<p>the original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report for CVE-2024-0853 is now public: <a href="https://hackerone.com/reports/2298922" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2298922</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>For details on the <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> PSL vulnerability, check out the <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report. And if you use libpsl, double-check that your use is correct: <a href="https://hackerone.com/reports/2212193" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2212193</span><span class="invisible"></span></a></p><p>Two mentioned projects in this report in particular should check their code.</p>
daniel:// stenberg://<p>We disclosed this <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> when someone asked Bard to find a vulnerability, and it hallucinated together something:</p><p> <a href="https://hackerone.com/reports/2199174" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2199174</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>If you want to see the full <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report and pre-disclosure discussion for the latest <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> CVE. Check this out: <a href="https://hackerone.com/reports/2039870" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2039870</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>First they submit junk security vulnerability reports at <a href="https://mastodon.social/tags/HackerOne" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HackerOne</span></a>.</p><p>Then they whine when I close them as Not Applicable because that gives them a negative reputation.</p><p>Maybe not submit the crap reports in the first place to avoid "ruining" your reputation?</p>
daniel:// stenberg://<p>Reminder: we always disclose the <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> issues including any discussions that let up to the disclosure of past CVEs. Today the last one from the previous release was made available: <a href="https://hackerone.com/curl/hacktivity?type=team" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackerone.com/curl/hacktivity?</span><span class="invisible">type=team</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload