Search
Items tagged with: hackerone
1. User complains to #hackerone that I named his *previous* name when he renamed himself to a silly name after I banned them in a #curl report filed back in October.
2. Hackerone asks me to respond on their support forum, on which I have no account. Grrr. I refuse to.
3. Replying to the hackerone email about this instead, I get a bounce saying they don't accept emails on support@hackerone ...
Kill me now.
@bagder Interesting. Was AI slop difficult to spot back in 2023?
curl disclosed on HackerOne: Buffer Overflow Vulnerability in...
## Summary: Hello security team, Hope you are doing well :) I would like to report a potential security vulnerability in the WebSocket handling code of the curl library. The issue is related to...HackerOne
Open source project curl is sick of users submitting “AI slop” vulnerabilities
“One way you can tell is it’s always such a nice report,” founder tells Ars.Kevin Purdy (Ars Technica)
Why does the #AISlop problem exist at #hackerone (and likely other bug bounty platforms)?
Because apparently it works: hackerone.com/evilginx/hacktiv…
It seems that some projects pay bounties for such AI Slop reports.
Round two in our fun game: "slop or not?"
(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)
curl disclosed on HackerOne: Hackers Attack Curl Vulnerability...
DISREGARD. Consider this an example template as I just joined. Respectfully, ScottHackerOne
"it rather seems that AI slop now can help lazy incompetent researchers trick the system."
Any AI slop should result in immediate ban or zeroing of the reputation.
Will we see something like this from #Hackerone? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.
curl disclosed on HackerOne: Buffer Overflow Risk in Curl_inet_ntop...
*Curl is a software that I love and is an important tool for the world. * *If my report doesn't align, I apologize for that.* The `Curl_inet_ntop` function is designed to convert IP addresses from...HackerOne
The original #hackerone report for #curl's CVE-2024-7264: ASN.1 date parser overread is now published:
curl disclosed on HackerOne: CVE-2024-7264: ASN.1 date parser overread
## Summary: When a specially-crafted certificate is passed to `Curl_extract_certinfo` to parse, it may read bytes beyond the end of the buffer in which the certificate is held. According to the...HackerOne
curl disclosed on HackerOne: CVE-2024-0853: OCSP verification...
## Summary: In version 8.5.0, cURL has inadvertently established a pathway for accepting revoked certificates. As a result of [this...HackerOne
For details on the #curl PSL vulnerability, check out the #hackerone report. And if you use libpsl, double-check that your use is correct: hackerone.com/reports/2212193
Two mentioned projects in this report in particular should check their code.
curl disclosed on HackerOne: CVE-2023-46218: cookie mixed case PSL...
## Summary: libcurl fails to normalize the `hostname` and `cookie_domain` parameters passed to `psl_is_cookie_domain_acceptable` function. As a result a malicious site can set a super cookie if the...HackerOne
We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:
curl disclosed on HackerOne: [Critical] Curl CVE-2023-38545...
## Summary: Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet ## Steps To Reproduce: To replicate the issue, I have searched in the Bard about this vulnerability. It...HackerOne