Open source project curl is sick of users submitting “AI slop” vulnerabilities https://arstechni.ca/LAhpm #vulnerabilities #bugreports #hackerone #security #Tech #curl #AI
The image is a screenshot of a post from "Daniel Stenberg, curl CEO. Code Emitting Organism" with a timestamp of "16h", showing that it was edited:
That's it. I've had it. I'm putting my foot down on this craziness.
1. Every reporter submitting security reports on #Hackerone for #curl now needs to answer this question:
"Did you use an Al to find the problem or generate this submission?"
(continued in next post)
Why does the #AISlop problem exist at #hackerone (and likely other bug bounty platforms)?
Because apparently it works: https://hackerone.com/evilginx/hacktivity?type=user
It seems that some projects pay bounties for such AI Slop reports.
While I can't be 100% sure, we (#curl) count 8 "AI slop" #hackerone submissions so far, which also makes it roughly 8% of the submissions over the last year as we get around 100 submissions per year right now. It makes it roughly as common as we get legitimate security problems reported.
Round two in our fun game: "slop or not?"
(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)
@bagder Good. This is a real problem and if they don't address it, it may end up hurting them in the end. If #Hackerone is just full of AI "researches" posting endless AI slop reports, their clients will move on.
@bagder "it rather seems that AI slop now can help lazy incompetent researchers trick the system."
Any AI slop should result in immediate ban or zeroing of the reputation.
Will we see something like this from #Hackerone? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.
Here's a link to today's AI slop #curl #hackerone report. Freshly disclosed: https://hackerone.com/reports/2887487
Marking them as spam now. #curl #hackerone (AI slop as "security vulnerability reports")
Also #hackerone: please STOP pushing your silly AI features to me. I don't care.
Did you know that #ONLYOFFICE has a bug bounty program on #HackerOne? 
HackerOne is a cybersecurity platform designed to help companies in various industries find and eliminate vulnerabilities and bugs.
The ONLYOFFICE programme on HackerOne allows ethical hackers to report bugs and vulnerabilities and get rewarded.
More information: https://www.onlyoffice.com/blog/2023/08/onlyoffice-hackerone-program-summer-23-updates
The original #hackerone report for #curl's CVE-2024-7264: ASN.1 date parser overread is now published:
Just a reminder: with those bug bounty platforms like Bugcrowd, HackerOne or whatever, as a security researcher you are not their customer, you are the product.
If there is a conflict they will tend to side with their customer, meaning the company running the bug bounty program. Good luck proving that you have a right to disclose that vulnerability. They will pressure you into not disclosing as long as the company is opposed. So if you still want to decide anything it’s better not to grow too attached to that account because it will be used as leverage against you.
And they will try very hard to filter reports before these reach the company. If your report is more difficult to understand than the typical report for this program – good luck reaching the company, you’ll need it. It’s very likely that your report will be closed as “out of scope” with all appeals falling on deaf ears. The bug bounty platforms are paid for filtering, not for letting reports through just because they have doubts about them. You might need to think about other ways to reach the people actually in charge.
it has been nearly three months since the last valid #hackerone report against #curl
Just saying.
I bet you can't find anything to report.
#curl project is so effective in resolving reports they've broken #Hackerone https://hackerone.com/curl/policy_scopes
the original #hackerone report for CVE-2024-0853 is now public: https://hackerone.com/reports/2298922
*facepalm*
I created a second #HackerOne account using the Punycode representation of this domain for my email address. It worked.
So now there are two accounts with the same email address, which is what you use to login. You can see where this is going.
For details on the #curl PSL vulnerability, check out the #hackerone report. And if you use libpsl, double-check that your use is correct: https://hackerone.com/reports/2212193
Two mentioned projects in this report in particular should check their code.
