daniel:// stenberg://

1 month ago

daniel:// stenberg://
1 month ago

Death by a thousand slops

daniel.haxx.se/blog/2025/07/14…

Death by a thousand slops

I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us. This trend does not seem to slow down.

^{daniel.haxx.se}

in reply to daniel:// stenberg://

Quentin Pradet

in reply to daniel:// stenberg:// 1 month ago

urllib3 doesn’t offer monetary rewards but we still get AI slop and 10x more reports than before. Of course it’s much less than curl but one report per month is still a lot for our small volunteer team. Thankfully so far the slop itself was easy to decline.

in reply to Quentin Pradet

daniel:// stenberg://

in reply to Quentin Pradet 1 month ago

@quentinpradet yeah, I'm a little worried that the money part is a distraction and not at all the big explanation...

@Quentin Pradet

in reply to daniel:// stenberg://

Quentin Pradet

in reply to daniel:// stenberg:// 1 month ago

still that’s a totally different scale so it sounds like it’s worth a try.

in reply to daniel:// stenberg://

Josh Bressers

in reply to daniel:// stenberg:// 1 month ago

@quentinpradet

Back when I ran a bug bounty program, the HackerOne folks would suggest new bug hunters find projects that offer no rewards as a way to build up their reputation, as a bunch of the very large bounties only let people in with a reputation greater than some number

I also have a suspicion many of the slop reports are coming from people who decided they could use an LLM to make some quick cash because it told them it was awesome at ... well, everything

@Quentin Pradet

in reply to daniel:// stenberg://

Fubaroque

in reply to daniel:// stenberg:// 1 month ago

I guess you found the title for your presentation. #welldone #niceone

#WellDone #niceone

in reply to daniel:// stenberg://

jens persson

in reply to daniel:// stenberg:// 1 month ago

Not fully formed thought from the sideline. Perhaps it is possible to incur some kind of cost that is not monetary on the submitter, "You must have a reputation over X on Hackerone" or "You have to have something accepted into a 'well known' project".
Not sure how to implement and it would probably involve some change from Hackerone also.

Or start reviewing the submissions with AI 😉

in reply to daniel:// stenberg://

n-gons

in reply to daniel:// stenberg:// 1 month ago

My immediate thought is requiring X reviews of other submissions before you get to submit... not sure if practical though

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 month ago

on hacker news: news.ycombinator.com/item?id=4…

Death by a Thousand Slops | Hacker News

^{news.ycombinator.com}

in reply to daniel:// stenberg://

Ricardo Nabinger Sanchez

in reply to daniel:// stenberg:// 1 month ago

requiring a *working* PoC/artifact for reproducing upon submission? But there is no solution---just as with faulty science.

in reply to daniel:// stenberg://

Bart Louwers

in reply to daniel:// stenberg:// 1 month ago

Have you considered reviewing the security reports with AI? At least as a first pass? I suspect ironically AI is pretty good at detecting AI slop.

chatgpt.com/share/6874f471-7cf…

ChatGPT - New chat

Shared via ChatGPT

^ChatGPT

in reply to daniel:// stenberg://

Kim Spence-Jones 🇬🇧😷

in reply to daniel:// stenberg:// 1 month ago

Maybe a crazy suggestion, but suppose it cost say $5 to submit a bug report eligible for the reward (but free if you don’t want to be eligible)? People who are confident their report is accurate won’t mind. People who are just AI spamming will think twice (or you get their money!)
If the prospect of a reward is driving the report submissions, that should slow down the slop. If something else is going on, that will become clear.

in reply to daniel:// stenberg://

Jason 🍸🫧

in reply to daniel:// stenberg:// 1 month ago

Just an idea, but when in doubt, ask them to provide video evidence of the vulnerability? If they can create slop, they should be capable of downloading OBS and recording a PoC. It might also show them that the “solution” or even the “problem” aren’t real.

in reply to daniel:// stenberg://

David Keck

in reply to daniel:// stenberg:// 1 month ago

man reading through those reports is painful. so obviously terrible AI responses. "Certainly! Let me explain..." then complete trash.

in reply to daniel:// stenberg://

Janik

in reply to daniel:// stenberg:// 1 month ago

I am following your situation with AI slop very closely. To my understanding the cost to generate a security report has become very cheap and HackerOne as a platform makes it quite easy to submit it to you without going through quality gates. Does it makes sense to increase the cost of submitting and generating a security report? I think of CI-pipline-like quality gates that check for arbitrary checks. Some proof-of-work checks that aim to increase the cost for slop reports.

in reply to daniel:// stenberg://

Major Denis Bloodnok

in reply to daniel:// stenberg:// 1 month ago

Not entirely serious, but reject anything with fancy formatting? When I write a bug report it's in as close to 80 column plain text as the interface will let me; all these slop machines seem to love bold headings all over the place.

in reply to daniel:// stenberg://

Karsten Johansson

in reply to daniel:// stenberg:// 1 month ago

I haven't seen the process, but do you require proof of vulnerability? I would ignore anything that doesn't come with proof. It's not like a vuln researcher wouldn't have proof on hand, just by the process of finding vulnerabilities in the first place.

Then you can focus on the proofs, and flat out deny any claims that come with insufficient pre-packaged proof.

in reply to daniel:// stenberg://

ghosttie

in reply to daniel:// stenberg:// 1 month ago

if education is the problem maybe modifying the report page to say "do not submit reports from LLMs for these reasons:" and maybe a "I certify that I have not used an LLM" step?

⇧

daniel:// stenberg:// 1 month ago • •

daniel:// stenberg://
1 month ago