Shakedown Social

0 posts0 participants0 posts today

daniel:// stenberg://While I can't be 100% sure, we (<a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a>) count 8 "AI slop" <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> submissions so far, which also makes it roughly 8% of the submissions over the last year as we get around 100 submissions per year right now. It makes it roughly as common as we get legitimate security problems reported.

daniel:// stenberg://Round two in our fun game: "slop or not?"(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)<a href="https://hackerone.com/reports/2912277" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://hackerone.com/reports/2912277</a><a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a>

Harry Sintonen<a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@bagder</a> "it rather seems that AI slop now can help lazy incompetent researchers trick the system."Any AI slop should result in immediate ban or zeroing of the reputation.Will we see something like this from <a href="https://infosec.exchange/tags/Hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Hackerone</a>? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.

daniel:// stenberg://Here's a link to today's AI slop <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> report. Freshly disclosed: <a href="https://hackerone.com/reports/2887487" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://hackerone.com/reports/2887487</a>

daniel:// stenberg://Marking them as spam now. <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a> <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> (AI slop as "security vulnerability reports")

daniel:// stenberg://Also <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a>: please STOP pushing your silly AI features to me. I don't care.

Kevin Karhan :verified:<a href="https://infosec.exchange/@dbof" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@dbof</a> Their "friction" is mere lazyness to distribute the Secret Key among their devs.And if <a href="https://infosec.space/tags/JitsiMeet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#JitsiMeet</a> devs can't be assed to do something that trivial then maybe folks who want to stay anonymous won't contact them, but instead send their exploit in a <a href="https://infosec.space/tags/PGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PGP</a>/MIME-encrypted eMail to <a href="https://infosec.space/tags/Zerodium" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Zerodium</a> where they get paid in <a href="https://infosec.space/tags/XMR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#XMR</a> with no questions asked.<ul><li>IOW: If they make it hard to do "the right thing" then people won't do it.</li></ul>I asked on behalf of a friend who wanted to stay anonymous and doesn't have a <a href="https://infosec.space/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GitHub</a> or <a href="https://infosec.space/tags/HackerOne" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HackerOne</a> account and can't signup to either due to unacceptable <a href="https://infosec.space/tags/ToS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ToS</a>.<ul><li>If that's outside of their imagination then maybe they are unfit to debelop and maintain such a software...</li></ul><a href="https://infosec.space/tags/rant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#rant</a> <a href="https://infosec.space/tags/ITsec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ITsec</a> <a href="https://infosec.space/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.space/tags/OpSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpSec</a> <a href="https://infosec.space/tags/ComSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ComSec</a> <a href="https://infosec.space/tags/ResponsibleDisclosure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ResponsibleDisclosure</a>

daniel:// stenberg://The original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> report for <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a>'s CVE-2024-7264: ASN.1 date parser overread is now published:<a href="https://hackerone.com/reports/2629968" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://hackerone.com/reports/2629968</a>

Yellow FlagJust a reminder: with those bug bounty platforms like Bugcrowd, HackerOne or whatever, as a security researcher you are not their customer, you are the product.If there is a conflict they will tend to side with their customer, meaning the company running the bug bounty program. Good luck proving that you have a right to disclose that vulnerability. They will pressure you into not disclosing as long as the company is opposed. So if you still want to decide anything it’s better not to grow too attached to that account because it will be used as leverage against you.And they will try very hard to filter reports before these reach the company. If your report is more difficult to understand than the typical report for this program – good luck reaching the company, you’ll need it. It’s very likely that your report will be closed as “out of scope” with all appeals falling on deaf ears. The bug bounty platforms are paid for filtering, not for letting reports through just because they have doubts about them. You might need to think about other ways to reach the people actually in charge.<a href="https://infosec.exchange/tags/Bugcrowd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Bugcrowd</a> <a href="https://infosec.exchange/tags/HackerOne" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HackerOne</a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BugBounty</a>

daniel:// stenberg://it has been nearly three months since the last valid <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a>Just saying.I bet you can't find anything to report.🤠

daniel:// stenberg://the original <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> report for CVE-2024-0853 is now public: <a href="https://hackerone.com/reports/2298922" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://hackerone.com/reports/2298922</a>

NO NAME<a href="https://soapbox.hackdefendr.com/tags/PlayStation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PlayStation</a> just awarded a never-seen-before $50K <a href="https://soapbox.hackdefendr.com/tags/bounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bounty</a> on <a href="https://soapbox.hackdefendr.com/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> But don’t get excited just yet<a href="https://wololo.net/2024/01/13/playstation-just-awarded-a-never-seen-before-50k-bounty-on-hackerone-but-dont-get-excited-just-yet/#google_vignette" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://wololo.net/2024/01/13/playstation-just-awarded-a-never-seen-before-50k-bounty-on-hackerone-but-dont-get-excited-just-yet/#google_vignette</a>

Soldier of FORTRAN :ReBoot:Just so we're clear, when you see HackerOne, you pronounce it Hack-a-rony, right?<a href="https://infosec.exchange/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> <a href="https://infosec.exchange/tags/ctf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ctf</a>

daniel:// stenberg://Fro details on the <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a> PSL vulnerability, check out the <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> report. And if you use libpsl, double-check that your use is correct: <a href="https://hackerone.com/reports/2212193" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://hackerone.com/reports/2212193</a>Two mentioned projects in this report in particular should check their code.

daniel:// stenberg://We disclosed this <a href="https://mastodon.social/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> report against <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a> when someone asked Bard to find a vulnerability, and it hallucinated together something: <a href="https://hackerone.com/reports/2199174" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://hackerone.com/reports/2199174</a>

IT NewsEx-Ubiquiti engineer behind “breathtaking” data theft gets 6-year prison term - Enlarge (credit: SOPA Images / Contributor | LightRocket) An e... - <a href="https://arstechnica.com/?p=1938574" rel="nofollow noopener noreferrer" target="_blank">https://arstechnica.com/?p=1938574</a> <a href="https://schleuss.online/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://schleuss.online/tags/dataextortion" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dataextortion</a> <a href="https://schleuss.online/tags/databreach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#databreach</a> <a href="https://schleuss.online/tags/bugbounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bugbounty</a> <a href="https://schleuss.online/tags/extortion" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#extortion</a> <a href="https://schleuss.online/tags/hackerone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hackerone</a> <a href="https://schleuss.online/tags/ubiquiti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ubiquiti</a> <a href="https://schleuss.online/tags/policy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#policy</a>

Recent searches

Search options

Administered by:

Server stats:

#hackerone