One thing I see mentioned on reddit is that there's a lot of AI junk recently in bug bounty reports, and that AIs currently seem to have trouble distinguishing between "this is a bug" and "this is an actual vulnerability."
whatamidoingyo•1h ago
I have recently started bug hunting again, and asking ChatGPT questions is really frustrating (e.g. "nmap port scan less aggressive?" -> "Sorry, I can't help you with that.") Right to Google.
It also feeds into things. I'll feel like I'm so close to a discovery, and ask ChatGPT if I found sensitive data, or a vulnerability, and it always says "yes", but 90% of the time, it's not. I end up Googling away to find out what I really have.
I would never use ChatGPT for a report, or trust it with this sort of thing. You could probably ask it if editing HTML with dev tools is a security vulnerability, and it will probably say "Yes, you should immediately report that. Would you like me to draft the report for you?"
It's good for writing some short scripts, though. Just don't let it know it's for a "bug bounty". Can't believe people are just blindly trusting it.
elevation•1h ago
You need an LLM trained specifically for pentesting support. TFA links to a site advertising Burp AI [0]. Looks useful for bug bounties but data policies can prevent pentesters from using it in their engagements.
elicash•1h ago
whatamidoingyo•1h ago
It also feeds into things. I'll feel like I'm so close to a discovery, and ask ChatGPT if I found sensitive data, or a vulnerability, and it always says "yes", but 90% of the time, it's not. I end up Googling away to find out what I really have.
I would never use ChatGPT for a report, or trust it with this sort of thing. You could probably ask it if editing HTML with dev tools is a security vulnerability, and it will probably say "Yes, you should immediately report that. Would you like me to draft the report for you?"
It's good for writing some short scripts, though. Just don't let it know it's for a "bug bounty". Can't believe people are just blindly trusting it.
elevation•1h ago
[0]: https://portswigger.net/burp/ai
redbell•1h ago
See: https://news.ycombinator.com/item?id=45330378
danielfalbo•47m ago