David Rodriguez
daniel:// stenberg://This is not working. The number of #hackerone report submissions for #curl in 2025 is going through the roof, while the quality is going through the floor.
And the year isn't over yet.
Clemens@bagder Even if you subtract the 35 likely slop submissions the trend stays the same, though. So, is the slop count an underestimation, or are there different root causes?
@neverpanic it's very hard to assess what is slop. I suspect a large amount of people get tricked by AIs but submit the report "in a human way" so that the AI's involvement is invisible. But that's just one theory.
Stefan Eissing„The only winning move is not to play.“ ~ Wargames
Oliver SchönrockMaddening.
And there is probably more than the "indentified slop", as the growth is much higher than that?
@oschonrock yes, most likely
your auntifa liza 🇵🇷 🦛 🦦@bagder jfc what a mess
🪨
Lars Marowsky-Brée 😷@bagder Alas, I see the same on those security contact aliases I'm still on.
The highlight of the week was someone sending a several pages long report on an "exposed" Grafana instance, with API traces, screenshots, etc pp. Oh no, confidential data leakage! Asked for a bounty and urged to turn off anonymous access.
Yes, my bro, that is the *public* telemetry dashboard.
There's zero amount of thinking happening before they send those out. Asymmetric warfare.
Colin Watson
KewlCat
bws@larsmb @bagder reminds me of the day when the dast scanner reported "i get an http 200, despite sending wrong credentials!"
"Yes, thats the login failed error page". And it took me over 1,5 years to convince several peole to close the security issue as "not a problem" because everyone enslaved themselves to scanners and did not dare to act.
"Yes, thats the login failed error page". And it took me over 1,5 years to convince several peole to close the security issue as "not a problem" because everyone enslaved themselves to scanners and did not dare to act.
Noor@bws
Not defending unvetted/non-contextualized DAST results, and not security related at all - but I would probably argue that 401 should be used in that particular case... Imagine how the Internet would look if we just sprinkled 200 OK all over the place! *waves fist at cloud*
Not defending unvetted/non-contextualized DAST results, and not security related at all - but I would probably argue that 401 should be used in that particular case... Imagine how the Internet would look if we just sprinkled 200 OK all over the place! *waves fist at cloud*
Jim Fuller@bagder in a few months time (yes new year's prediction) the industry will have a financial correction of indeterminate size ... after that it will be easier to reason with folks. As with any tech surge, there are a few things that are useful and a lot of speculation ... the scale (and speed) of all this is daunting mostly due to uncontrolled outcomes. Calm heads prevail.
bluca@bagder similar experience on yeswehack. To be fair the platform owners are trying really hard to put a stop to it, but it's like trying to stop a tsunami with a portable umbrella. I'm beginning to think these platforms need to start charging a deposit for any submitted report...
YourShadowDani
aburka 🫣
Kura 
:kura_explode:@bagder at least the quality of your graphs is going up.
Is it still AI stuff that's mostly coming ?
Is it still AI stuff that's mostly coming ?