I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us. This trend does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop. The latter … Continue reading Death by a thousand slops →
Luckily, the word “Certainly” is a huge hint that it was generated by AI. You know that the reporter of the “issue” copy-pasted the question of the developer right into the LLM and copy-pasted the output right into hackone.
Hindsight bias. This is from 2023. It’s obvious now. If it still was this easy to spot they wouldn’t have closed the bug bounty program.
It was volume that was more the issue with the bug bounty program.
They were flooded, and recognising it is all well and good, but not if there’s no good way to filter it out, not without massive collateral.
I encourage you to read some threads linked at the bottom of the article. The AI spammers have become way less obvious, one even has video. The team still checks every issue.
Right, but the volume was the issue. The cURL team could only work through and verify them so quickly, so the deluge of bug reports just made it impractical for them to dedicate time to sort through it. The idea in getting rid of the bug bounty being that there would be less of an incentive to generate and write a bogus bug report.
If it was just a small handful of fake security reports, they wouldn’t have minded nearly as much.
Well, another big hint is how the thing answered by addressing a username that wasn’t part of the exchange, twice. And then messed up the “@” when they pointed that to it.
If it’s even manually copy-pasted, the guy doing that didn’t allocate a single braincell to what was being discussed.