Open source project curl is sick of users submitting “AI slop” vulnerabilities
“One way you can tell is it’s always such a nice report,” founder tells Ars.Kevin Purdy (Ars Technica)
“One way you can tell is it’s always such a nice report,” founder tells Ars.Kevin Purdy (Ars Technica)
Why does the #AISlop problem exist at #hackerone (and likely other bug bounty platforms)?
Because apparently it works: hackerone.com/evilginx/hacktiv…
It seems that some projects pay bounties for such AI Slop reports.
Round two in our fun game: "slop or not?"
(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)
DISREGARD. Consider this an example template as I just joined. Respectfully, ScottHackerOne
"it rather seems that AI slop now can help lazy incompetent researchers trick the system."
Any AI slop should result in immediate ban or zeroing of the reputation.
Will we see something like this from #Hackerone? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.
*Curl is a software that I love and is an important tool for the world. * *If my report doesn't align, I apologize for that.* The `Curl_inet_ntop` function is designed to convert IP addresses from...HackerOne
The original #hackerone report for #curl's CVE-2024-7264: ASN.1 date parser overread is now published:
## Summary: When a specially-crafted certificate is passed to `Curl_extract_certinfo` to parse, it may read bytes beyond the end of the buffer in which the certificate is held. According to the...HackerOne
## Summary: In version 8.5.0, cURL has inadvertently established a pathway for accepting revoked certificates. As a result of [this...HackerOne
For details on the #curl PSL vulnerability, check out the #hackerone report. And if you use libpsl, double-check that your use is correct: hackerone.com/reports/2212193
Two mentioned projects in this report in particular should check their code.
## Summary: libcurl fails to normalize the `hostname` and `cookie_domain` parameters passed to `psl_is_cookie_domain_acceptable` function. As a result a malicious site can set a super cookie if the...HackerOne
We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:
## Summary: Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet ## Steps To Reproduce: To replicate the issue, I have searched in the Bard about this vulnerability. It...HackerOne