classic! I got pulled into a Big Serious Meeting with the boss 15 years ago about this sort of thing once!

Thing is: it was literally foo/bar and had a name like “testCreds” 🤪

I’ll never forget the Senior Developer who was there to throw me under the bus, too!

(I quit shortly after)

Is it weird that I read these like they're comics?

The Adventures of Bagder in Hackerland:
Hilarious antics ensue when another AI-assisted researcher discovers another serious security flaw in the curl project...

Will the future of the known internet be forever changed?
Will the report stay open for longer than 3 hours?
Will the AI finally get a bug bounty?

Probably nah, but let's watch anyway.

lmao.

Did not know I was submitting crap.

"I just found this in the trashcan nearby. Didn't know it was garbage. Did you expect me to smell it or something?"

oh, we got one like these too (as a private business with no bounty or anything even). Extremely critical disclosure of credentials, abuse risk, lenghty "report" with long steps and stuff, with reproduction against a third party service.

We had the default maptiler key from element-web's default config.json served somewhere (it is in their github repository), alongside with… the URL of our server, served by that very same URL. Which is public.

A great loss of time indeed.

This just makes me want to scream.

But do they actually believe that they are submitting something useful?

Also: The act of asking another human "Hey, does this thing make sense?" seems to have been completely forgotten.

secret scanning is a good idea given the number of checked in keys in the world.

But we still have to explain every couple years to folks that the "compiler can process .pfx files" unit tests aren't security problems 😅