mastodon.zunda.ninja is one of the many independent Mastodon servers you can use to participate in the fediverse.
Zundon is a single user instance as home of @zundan as well as a test bed for changes of the code.

Administered by:

Server stats:

1
active users

#hackerone

0 posts0 participants0 posts today
Ars Technica News<p>Open source project curl is sick of users submitting “AI slop” vulnerabilities <a href="https://arstechni.ca/LAhpm" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arstechni.ca/LAhpm</span><span class="invisible"></span></a> <a href="https://c.im/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilities</span></a> <a href="https://c.im/tags/bugreports" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugreports</span></a> <a href="https://c.im/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> <a href="https://c.im/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://c.im/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tech</span></a> <a href="https://c.im/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://c.im/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a></p>
daniel:// stenberg://<p>I mentioned the <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> AI slop thing on <a href="https://mastodon.social/tags/LinkedIn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LinkedIn</span></a></p>
Harry Sintonen<p>Why does the <a href="https://infosec.exchange/tags/AISlop" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AISlop</span></a> problem exist at <a href="https://infosec.exchange/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> (and likely other bug bounty platforms)?</p><p>Because apparently it works: <a href="https://hackerone.com/evilginx/hacktivity?type=user" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackerone.com/evilginx/hacktiv</span><span class="invisible">ity?type=user</span></a></p><p>It seems that some projects pay bounties for such AI Slop reports.</p>
daniel:// stenberg://<p>While I can't be 100% sure, we (<a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a>) count 8 "AI slop" <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> submissions so far, which also makes it roughly 8% of the submissions over the last year as we get around 100 submissions per year right now. It makes it roughly as common as we get legitimate security problems reported.</p>
daniel:// stenberg://<p>Round two in our fun game: "slop or not?"</p><p>(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)</p><p><a href="https://hackerone.com/reports/2912277" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2912277</span><span class="invisible"></span></a></p><p><a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a></p>
Harry Sintonen<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> Good. This is a real problem and if they don't address it, it may end up hurting them in the end. If <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackerone</span></a> is just full of AI "researches" posting endless AI slop reports, their clients will move on.</p>
Harry Sintonen<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> "it rather seems that AI slop now can help lazy incompetent researchers trick the system."</p><p>Any AI slop should result in immediate ban or zeroing of the reputation.</p><p>Will we see something like this from <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackerone</span></a>? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.</p>
daniel:// stenberg://<p>Here's a link to today's AI slop <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report. Freshly disclosed: <a href="https://hackerone.com/reports/2887487" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2887487</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>Marking them as spam now. <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> (AI slop as "security vulnerability reports")</p>
daniel:// stenberg://<p>Also <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a>: please STOP pushing your silly AI features to me. I don't care.</p>
daniel:// stenberg://<p>The original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report for <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a>'s CVE-2024-7264: ASN.1 date parser overread is now published:</p><p><a href="https://hackerone.com/reports/2629968" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2629968</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>it has been nearly three months since the last valid <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a></p><p>Just saying.</p><p>I bet you can't find anything to report.</p><p>🤠</p>
Harry Sintonen<p><a href="https://infosec.exchange/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> project is so effective in resolving reports they've broken <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hackerone</span></a> <a href="https://hackerone.com/curl/policy_scopes" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackerone.com/curl/policy_scop</span><span class="invisible">es</span></a></p>
daniel:// stenberg://<p>the original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report for CVE-2024-0853 is now public: <a href="https://hackerone.com/reports/2298922" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2298922</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>For details on the <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> PSL vulnerability, check out the <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report. And if you use libpsl, double-check that your use is correct: <a href="https://hackerone.com/reports/2212193" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2212193</span><span class="invisible"></span></a></p><p>Two mentioned projects in this report in particular should check their code.</p>
daniel:// stenberg://<p>We disclosed this <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> when someone asked Bard to find a vulnerability, and it hallucinated together something:</p><p> <a href="https://hackerone.com/reports/2199174" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2199174</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>If you want to see the full <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> report and pre-disclosure discussion for the latest <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> CVE. Check this out: <a href="https://hackerone.com/reports/2039870" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2039870</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>First they submit junk security vulnerability reports at <a href="https://mastodon.social/tags/HackerOne" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HackerOne</span></a>.</p><p>Then they whine when I close them as Not Applicable because that gives them a negative reputation.</p><p>Maybe not submit the crap reports in the first place to avoid "ruining" your reputation?</p>
daniel:// stenberg://<p>Reminder: we always disclose the <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackerone</span></a> issues including any discussions that let up to the disclosure of past CVEs. Today the last one from the previous release was made available: <a href="https://hackerone.com/curl/hacktivity?type=team" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackerone.com/curl/hacktivity?</span><span class="invisible">type=team</span></a></p>