We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:
https://hackerone.com/reports/2199174
curl disclosed on HackerOne: [Critical] Curl CVE-2023-38545...
## Summary: Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet ## Steps To Reproduce: To replicate the issue, I have searched in the Bard about this vulnerability. It...HackerOne
Dylan Van Assche
in reply to daniel:// stenberg:// • • •Kornel
in reply to daniel:// stenberg:// • • •{"error": "too many requests"}
You've hacked hackerone (remote DoS, 9.8 CVSS)
Kevin P. Fleming
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Kevin P. Fleming • • •cohomology is FUN!
in reply to daniel:// stenberg:// • • •derekheld
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to derekheld • • •derekheld
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to derekheld • • •Brodie Robertson
in reply to daniel:// stenberg:// • • •kurtseifried (he/him)
in reply to daniel:// stenberg:// • • •I remember when I was at Red Hat I did a thought experiment: what is the minimal amount of work an attacker could do to cause the maximum amount of effort by a security team?
This was over 10 years ago and a lot of what we were experiencing and what I came up with back then is now trivial for attackers thanks things to these LLM‘s.
And the problem is you can’t have a skill testing question or something because occasionally somebody will find a gem in the rough and report it, and risk of missing that is seen as not acceptable by most people.
I don’t know what the future bolts for open source security reporting, but I have a suspicion. Things are gonna have to change in the next few years. People are going to get burnt out.
Edit: for readability
daniel:// stenberg://
in reply to kurtseifried (he/him) • • •Adam Piggott
in reply to daniel:// stenberg:// • • •Patrick $8 :verified:
in reply to daniel:// stenberg:// • • •Ingvar
in reply to daniel:// stenberg:// • • •SuperIlu
in reply to daniel:// stenberg:// • • •Andreas Scherbaum
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Andreas Scherbaum • • •Andreas Scherbaum
in reply to daniel:// stenberg:// • • •They pay for your time and effort, not for the Bug report per se.
This invoice can be avoided by adding information what steps the submitter did in order to verify the LLM output.
Andreas Scherbaum
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Andreas Scherbaum • • •Dan Bergh Johnsson
in reply to daniel:// stenberg:// • • •Makes me wonder: how off are these hallucinations? Are they anywhere closely resembling the truth? Or partial? Or in the correct region?
Brodie Robertson
in reply to Dan Bergh Johnsson • • •daniel:// stenberg://
in reply to Brodie Robertson • • •Dan Bergh Johnsson
in reply to daniel:// stenberg:// • • •soc
in reply to daniel:// stenberg:// • • •My reply would have certainly contained the phrase "fucking idiot".