AI slop security reports submitted to curl

https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd

96•nobody9999•7mo ago

Comments

Rygian•7mo ago

Taking for example the one listed as https://hackerone.com/reports/2871792.

With the advantage of hindsight, the issue should have been entirely dismissed, and the account reported as invalid, right at the third message (November 30, 2024, 8:58pm UTC); the fact that curl maintainers allowed the "dialog" to continue for six more messages shows to be a mistake and a waste of effort.

I would even encourage curl maintainers to upfront reject any report that fails to mention a line number in the source code, or a specific piece input that triggers an issue.

It's unfortunate that AI is being used to worsen the signal/noise ratio [1] of such sensitive topics such as security.

[1] http://www.meatballwiki.org/wiki/SignalToNoiseRatio

zeta0134•7mo ago

It's pretty clear that in like half of these the "researcher" is just copy pasting the followup questions back into whatever LLM they used originally. What a colossal waste of everyone's time.

I think the only saving grace right this second is that the hallucinations are obvious and text generation is just awkward enough in overly-eager phrasing to recognize. But if you're seeing it for the first time, it can be surprisingly convincing.

raverbashing•7mo ago

Honestly? Might be wiser block submissions from certain parts of the world that are known for spamming things like that

Or have an infosec captcha, but that's harder to come by

bluGill•7mo ago

As time goes on they are getting faster at closing such reports. However they started off with an assumption of honesty and only after peing burned repeatedly given up.

this is bad for the honest person who can't describe a real issue well though.

heybrendan•7mo ago

I worked my way through about half the examples. What appalling behavior by several of the "submitters".

This comment [1] by icing (curl staff) sums up the risk:

> "This report and your other one seem like an attack on our resources to handle security issues."

Maintainers of widely deployed, popular software, including those whom have openly made a commitment to engineering excellence [2] and responsiveness [like the curl project AFAICT], can not afford to /not/ treat each submission with some level of preliminary attention and seriousness.

Submitting low quality, bogus reports generated by a hallucinating LLM, and then doubling down by being deliberately opaque and obtuse during the investigation and discussion, is disgraceful.

[1] https://hackerone.com/reports/3125832#activity-34389935

[2] https://curl.se/docs/bugs.html (Heading: "Who fixes the problems")

bgwalter•7mo ago

49 points, 4 hours, but only on page three.

This is a highly relevant log of the destructive nature of "AI", which consumes human time and has no clue what is going on in the code base. "AI" is like a five year old who has picked up some words and wants to sound smart.

I suppose the era of bug bounties is over.

bfrog•7mo ago

AI slop is coming in all forms. I see people using AI for code reviews on github now and they are net negative leading people to do the wrong things.

anal_reactor•7mo ago

The consequence of having an issue report system is that people submit random shit just to report something. The fact that they use AI to autogenerate reports allows them to do that at an unprecedented scale. The obvious solution to this problem is to use AI to filter out reports that aren't valuable. Have AI talk to AI.

This might sound silly but it's not. It's just an advanced version of automatic vulnerability scans.

AlSweigart•7mo ago

The primary use case of LLMs is producing undetectable spam.

We Mourn Our Craft

Jim Fan calls pixels the ultimate motor controller

Exploring a Modern SMTPE 2110 Broadcast Truck with My Dad

AI UX Playground: Real-world examples of AI interaction design

The Field Guide to Design Futures

The Other Leverage in Software and AI

AUR malware scanner written in Rust

Free FFmpeg API [video]

Are AI agents ready for the workplace? A new benchmark raises doubts

Show HN: AI Watermark and Stego Scanner

Clarity vs. complexity: the invisible work of subtraction

Solid-State Freezer Needs No Refrigerants

Ask HN: Will LLMs/AI Decrease Human Intelligence and Make Expertise a Commodity?

From Zero to Hero: A Brief Introduction to Spring Boot

NSA detected phone call between foreign intelligence and person close to Trump

How to Fake a Robotics Result

It's time for the world to boycott the US

Show HN: Semantic Search for terminal commands in the Browser (No Back end)

The AI CEO Experiment

Speed up responses with fast mode

MS-DOS game copy protection and cracks

Updates on GNU/Hurd progress [video]

Epstein took a photo of his 2015 dinner with Zuckerberg and Musk

MyFlames: View MySQL execution plans as interactive FlameGraphs and BarCharts

Show HN: LLM of Babel

A modern iperf3 alternative with a live TUI, multi-client server, QUIC support

Famfamfam Silk icons – also with CSS spritesheet

Apple is the only Big Tech company whose capex declined last quarter

Reverse-Engineering Raiders of the Lost Ark for the Atari 2600

Show HN: Deterministic NDJSON audit logs – v1.2 update (structural gaps)