daniel:// stenberg://

1 day ago

daniel:// stenberg://
1 day ago

On the morning of the 13th day of the year we have received *checks notes* 13 #curl vulnerability reports on Hackerone this year.

None a confirmed vulnerability.

#curl

in reply to daniel:// stenberg://

Christopher Snowhill

in reply to daniel:// stenberg:// 1 day ago

Cue one of Steve Burke's "AI AI AI AI AI" montages from CES or such.

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 day ago

I suppose the upside is that lots of people are scrutinizing and try really hard to poke holes.

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 day ago

Ironically, we have also received complaints from people who get annoyed when we disclose so many rubbish reports on Hackerone...

github.com/curl/curl/issues/20…

plz stop publishing NAs / infos to hacktivity on hackerone

Specify which documentation you found a problem with plz stop publishing NAs / infos to hacktivity on hackerone it clogs hacktivity for people wanting to read good disclosures The problem plz stop ...

^{teflon-cd (GitHub)}

This entry was edited (1 day ago)

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 day ago

and of course some of the people I ridicule, ban and expose in these reports come back to me all up in arms about them being completely innocent and they did not know and now I have ruined their professional lives because their cool hacker aliases are now tainted.

in reply to daniel:// stenberg://

Stefan Eissing

in reply to daniel:// stenberg:// 1 day ago

Very sad indeed.

But we *do* let reports through if the hacker alias is really cool. Which, in these cases, they really weren‘t. 🔥💁🏻‍♂️

in reply to daniel:// stenberg://

Gregory

in reply to daniel:// stenberg:// 1 day ago

huh??? Doesn't curl policy explicitly mention that the use of AI must be disclosed? Is it not entirely their own fault that they always miss this part?

in reply to daniel:// stenberg://

Mike Anderson

in reply to daniel:// stenberg:// 1 day ago

they were happy enough thinking that they would boost their reputation by finding a vulnerability in curl...

in reply to daniel:// stenberg://

jwz

in reply to daniel:// stenberg:// 1 day ago

You mean I can't keep using "The Master of Disaster" on GitHub???

in reply to jwz

daniel:// stenberg://

in reply to jwz 1 day ago

@jwz pfft, there are not even *one* "leet speak" letter in that name! 😁

@jwz

in reply to daniel:// stenberg://

Volker Stolz

in reply to daniel:// stenberg:// 1 day ago

🎻 – pity there isn’t an emoji with an even smaller one.

in reply to daniel:// stenberg://

Brokar

in reply to daniel:// stenberg:// 1 day ago

If they don't check their AI slop before posting, it's up to them to take the (rightful) beating for it.

No mercy.

in reply to daniel:// stenberg://

G Allen

in reply to daniel:// stenberg:// 1 day ago

Elite haxx0r FuxAr0und very mad about FindOut.

in reply to daniel:// stenberg://

Mike Anderson

in reply to daniel:// stenberg:// 1 day ago

thank you for doing this and being vocal about it. The many-eyes principle does not work if some of the 'eyes' are crying wolf.

in reply to daniel:// stenberg://

Luke Nelson

in reply to daniel:// stenberg:// 1 day ago

> it clogs hacktivity for people wanting to read good disclosures

I don't user hackerone but I'd imagine there are filters in the UI to hide these?

in reply to Luke Nelson

daniel:// stenberg://

in reply to Luke Nelson 1 day ago

yes there is

in reply to daniel:// stenberg://

niallor

in reply to daniel:// stenberg:// 1 day ago

shooting the messenger is ever the easy option

in reply to daniel:// stenberg://

Carsten

in reply to daniel:// stenberg:// 1 day ago

*sigh* that does NOT bode well for the remaining days.

Thanks for enduring this!

in reply to daniel:// stenberg://

Thoralf Will 🇺🇦🇮🇱🇹🇼

in reply to daniel:// stenberg:// 1 day ago

How many credible reports from that source?
If the ratio is too bad, I would consider to simply ignore reports from trash sources. Not worth the effort.

⇧

daniel:// stenberg:// 1 day ago • •

daniel:// stenberg://
1 day ago