Round two in our fun game: "slop or not?"
(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)
curl disclosed on HackerOne: Hackers Attack Curl Vulnerability...
DISREGARD. Consider this an example template as I just joined. Respectfully, ScottHackerOne
SuperIlu
in reply to daniel:// stenberg:// • • •"can you explain how this came to happen?"
Well, I guess he tripped and fell on his keyboard and when he finally got up he had submitted the report by accident?
or maybe his cat?
daniel:// stenberg://
in reply to SuperIlu • • •Phil
in reply to daniel:// stenberg:// • • •Kind of a side-topic, and not related to curl, but this gave me a terrifying idea.
What if malicious actors submit vulnerability reports to make FOSS maintainers' lives harder, just to give themselves more time to exploit actual 0-days?
The xz utils incident was careful and long-term, but if someone does find a vulnerability and they're malicious, presumably they'll want to keep it unaddressed for as long as possible.
What better way to do that than distract everyone they can with AI-generated BS? Even if it buys them 30 minutes or an hour, that's time during which they could do damage.
Gives me the creeps.
daniel:// stenberg://
in reply to Phil • • •