Ars Technica News<p>Open source project curl is sick of users submitting “AI slop” vulnerabilities <a href="https://arstechni.ca/LAhpm" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arstechni.ca/LAhpm</span><span class="invisible"></span></a> <a href="https://c.im/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vulnerabilities</span></a> <a href="https://c.im/tags/bugreports" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bugreports</span></a> <a href="https://c.im/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> <a href="https://c.im/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://c.im/tags/Tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tech</span></a> <a href="https://c.im/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> <a href="https://c.im/tags/AI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AI</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
244active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#hackerone
0 posts · 0 participants · 0 posts today
Glyph<p><span class="h-card" translate="no"><a href="https://mastodon.social/@LukaszOlejnik" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>LukaszOlejnik</span></a></span> </p><p><a href="https://mastodon.social/tags/alt4u" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>alt4u</span></a> </p><p>The image is a screenshot of a post from "Daniel Stenberg, curl CEO. Code Emitting Organism" with a timestamp of "16h", showing that it was edited:</p><p>That's it. I've had it. I'm putting my foot down on this craziness.</p><p>1. Every reporter submitting security reports on <a href="https://mastodon.social/tags/Hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Hackerone</span></a> for <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> now needs to answer this question:<br>"Did you use an Al to find the problem or generate this submission?"</p><p>(continued in next post)</p>
daniel:// stenberg://<p>I mentioned the <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> AI slop thing on <a href="https://mastodon.social/tags/LinkedIn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LinkedIn</span></a></p>
Harry Sintonen<p>Why does the <a href="https://infosec.exchange/tags/AISlop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AISlop</span></a> problem exist at <a href="https://infosec.exchange/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> (and likely other bug bounty platforms)?</p><p>Because apparently it works: <a href="https://hackerone.com/evilginx/hacktivity?type=user" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackerone.com/evilginx/hacktiv</span><span class="invisible">ity?type=user</span></a></p><p>It seems that some projects pay bounties for such AI Slop reports.</p>
daniel:// stenberg://<p>While I can't be 100% sure, we (<a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a>) count 8 "AI slop" <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> submissions so far, which also makes it roughly 8% of the submissions over the last year as we get around 100 submissions per year right now. It makes it roughly as common as we get legitimate security problems reported.</p>
daniel:// stenberg://<p>Round two in our fun game: "slop or not?"</p><p>(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)</p><p><a href="https://hackerone.com/reports/2912277" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2912277</span><span class="invisible"></span></a></p><p><a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a></p>
Harry Sintonen<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>bagder</span></a></span> "it rather seems that AI slop now can help lazy incompetent researchers trick the system."</p><p>Any AI slop should result in immediate ban or zeroing of the reputation.</p><p>Will we see something like this from <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Hackerone</span></a>? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.</p>
daniel:// stenberg://<p>Here's a link to today's AI slop <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> report. Freshly disclosed: <a href="https://hackerone.com/reports/2887487" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2887487</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>Marking them as spam now. <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> (AI slop as "security vulnerability reports")</p>
daniel:// stenberg://<p>Also <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a>: please STOP pushing your silly AI features to me. I don't care.</p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@dbof" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>dbof</span></a></span> Their <em>"friction"</em> is mere lazyness to distribute the Secret Key among their devs.</p><p>And if <a href="https://infosec.space/tags/JitsiMeet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>JitsiMeet</span></a> devs can't be assed to do something that trivial then maybe folks who want to stay anonymous won't contact them, but instead send their exploit in a <a href="https://infosec.space/tags/PGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PGP</span></a>/MIME-encrypted eMail to <a href="https://infosec.space/tags/Zerodium" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Zerodium</span></a> where they get paid in <a href="https://infosec.space/tags/XMR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMR</span></a> with no questions asked.</p><ul><li>IOW: If they make it hard to do <em>"the right thing"</em> then people won't do it.</li></ul><p>I asked on behalf of a friend who wanted to stay anonymous and doesn't have a <a href="https://infosec.space/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GitHub</span></a> or <a href="https://infosec.space/tags/HackerOne" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HackerOne</span></a> account and can't signup to either due to unacceptable <a href="https://infosec.space/tags/ToS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ToS</span></a>.</p><ul><li>If that's outside of their imagination then maybe they are unfit to debelop and maintain such a software...</li></ul><p><a href="https://infosec.space/tags/rant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rant</span></a> <a href="https://infosec.space/tags/ITsec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ITsec</span></a> <a href="https://infosec.space/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.space/tags/OpSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpSec</span></a> <a href="https://infosec.space/tags/ComSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ComSec</span></a> <a href="https://infosec.space/tags/ResponsibleDisclosure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ResponsibleDisclosure</span></a></p>
daniel:// stenberg://<p>The original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> report for <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a>'s CVE-2024-7264: ASN.1 date parser overread is now published:</p><p><a href="https://hackerone.com/reports/2629968" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2629968</span><span class="invisible"></span></a></p>
Yellow Flag<p>Just a reminder: with those bug bounty platforms like Bugcrowd, HackerOne or whatever, as a security researcher you are not their customer, you are the product.</p><p>If there is a conflict they will tend to side with their customer, meaning the company running the bug bounty program. Good luck proving that you have a right to disclose that vulnerability. They will pressure you into not disclosing as long as the company is opposed. So if you still want to decide anything it’s better not to grow too attached to that account because it will be used as leverage against you.</p><p>And they will try very hard to filter reports before these reach the company. If your report is more difficult to understand than the typical report for this program – good luck reaching the company, you’ll need it. It’s very likely that your report will be closed as “out of scope” with all appeals falling on deaf ears. The bug bounty platforms are paid for filtering, not for letting reports through just because they have doubts about them. You might need to think about other ways to reach the people actually in charge.</p><p><a href="https://infosec.exchange/tags/Bugcrowd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bugcrowd</span></a> <a href="https://infosec.exchange/tags/HackerOne" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HackerOne</span></a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BugBounty</span></a></p>
daniel:// stenberg://<p>it has been nearly three months since the last valid <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a></p><p>Just saying.</p><p>I bet you can't find anything to report.</p><p>🤠</p>
daniel:// stenberg://<p>the original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> report for CVE-2024-0853 is now public: <a href="https://hackerone.com/reports/2298922" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2298922</span><span class="invisible"></span></a></p>
NO NAME<p><a href="https://soapbox.hackdefendr.com/tags/PlayStation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PlayStation</span></a> just awarded a never-seen-before $50K <a href="https://soapbox.hackdefendr.com/tags/bounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bounty</span></a> on <a href="https://soapbox.hackdefendr.com/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> </p><p>But don’t get excited just yet</p><p><a href="https://wololo.net/2024/01/13/playstation-just-awarded-a-never-seen-before-50k-bounty-on-hackerone-but-dont-get-excited-just-yet/#google_vignette" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">wololo.net/2024/01/13/playstat</span><span class="invisible">ion-just-awarded-a-never-seen-before-50k-bounty-on-hackerone-but-dont-get-excited-just-yet/#google_vignette</span></a></p>
Soldier of FORTRAN :ReBoot:<p>Just so we're clear, when you see HackerOne, you pronounce it Hack-a-rony, right?</p><p><a href="https://infosec.exchange/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> <a href="https://infosec.exchange/tags/ctf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ctf</span></a></p>
daniel:// stenberg://<p>Fro details on the <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> PSL vulnerability, check out the <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> report. And if you use libpsl, double-check that your use is correct: <a href="https://hackerone.com/reports/2212193" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2212193</span><span class="invisible"></span></a></p><p>Two mentioned projects in this report in particular should check their code.</p>
daniel:// stenberg://<p>We disclosed this <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> when someone asked Bard to find a vulnerability, and it hallucinated together something:</p><p> <a href="https://hackerone.com/reports/2199174" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackerone.com/reports/2199174</span><span class="invisible"></span></a></p>
IT News<p>Ex-Ubiquiti engineer behind “breathtaking” data theft gets 6-year prison term - Enlarge (credit: SOPA Images / Contributor | LightRocket) </p><p>An e... - <a href="https://arstechnica.com/?p=1938574" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="">arstechnica.com/?p=1938574</span><span class="invisible"></span></a> <a href="https://schleuss.online/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://schleuss.online/tags/dataextortion" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dataextortion</span></a> <a href="https://schleuss.online/tags/databreach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>databreach</span></a> <a href="https://schleuss.online/tags/bugbounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bugbounty</span></a> <a href="https://schleuss.online/tags/extortion" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>extortion</span></a> <a href="https://schleuss.online/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackerone</span></a> <a href="https://schleuss.online/tags/ubiquiti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ubiquiti</span></a> <a href="https://schleuss.online/tags/policy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>policy</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload