This is not working. The number of #hackerone report submissions for #curl in 2025 is going through the roof, while the quality is going through the floor.
Even if you subtract the 35 likely slop submissions the trend stays the same, though. So, is the slop count an underestimation, or are there different root causes?
it's very hard to assess what is slop. I suspect a large amount of people get tricked by AIs but submit the report "in a human way" so that the AI's involvement is invisible. But that's just one theory.
Alas, I see the same on those security contact aliases I'm still on.
The highlight of the week was someone sending a several pages long report on an "exposed" Grafana instance, with API traces, screenshots, etc pp. Oh no, confidential data leakage! Asked for a bounty and urged to turn off anonymous access.
Yes, my bro, that is the *public* telemetry dashboard.
There's zero amount of thinking happening before they send those out. Asymmetric warfare.
in a few months time (yes new year's prediction) the industry will have a financial correction of indeterminate size ... after that it will be easier to reason with folks. As with any tech surge, there are a few things that are useful and a lot of speculation ... the scale (and speed) of all this is daunting mostly due to uncontrolled outcomes. Calm heads prevail.
similar experience on yeswehack. To be fair the platform owners are trying really hard to put a stop to it, but it's like trying to stop a tsunami with a portable umbrella. I'm beginning to think these platforms need to start charging a deposit for any submitted report...
Clemens
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Clemens • • •Stefan Eissing
in reply to daniel:// stenberg:// • • •Oliver Schönrock
in reply to daniel:// stenberg:// • • •Maddening.
And there is probably more than the "indentified slop", as the growth is much higher than that?
daniel:// stenberg://
in reply to Oliver Schönrock • • •your auntifa liza 🇵🇷 🦛 🦦
in reply to daniel:// stenberg:// • • •Lars Marowsky-Brée 😷
in reply to daniel:// stenberg:// • • •Alas, I see the same on those security contact aliases I'm still on.
The highlight of the week was someone sending a several pages long report on an "exposed" Grafana instance, with API traces, screenshots, etc pp. Oh no, confidential data leakage! Asked for a bounty and urged to turn off anonymous access.
Yes, my bro, that is the *public* telemetry dashboard.
There's zero amount of thinking happening before they send those out. Asymmetric warfare.
Jim Fuller
in reply to daniel:// stenberg:// • • •bluca
in reply to daniel:// stenberg:// • • •