Mastodawn

Bug Bounties have always been a sort of medium-value program. They do generate measurable security improvement, reliably — more than can be said for many security programs! — but they also cost a lot of time in triage, reproduction and communication. Historically the juice has been worth the squeeze, but with the rise of slop reports that’s no longer true. I suspect we’ll see a lot more bounty programs quietly (or loudly) end soon. https://cyberplace.social/@GossiTheDog/115934980914548808

Kevin Beaumont (@[email protected])

Curl, one of the largest and widely used open source projects, is to stop bug bounty at the end of this month due to being overwhelmed by Generative AI slop bug bounty reports. https://github.com/curl/curl/pull/20312

Cyberplace

Show thread

jacobian Jan 21

I genuinely wonder what this does for the unit economics of companies like HackerOne/Bugcrowd/etc. I can’t imagine it’s good news.

Show thread

Glyph Jan 21

@jacob hackerone has been pivoting hard away from their bounty product and towards their "AI-powered exposure reduction platform" for a while now, so I think they've seen the writing on the wall

Show thread

jacobian Jan 21

@glyph Woof, I missed that pivot. Seems bad.

Show thread

Glyph

@jacob It has been kinda gradual (bug bounties are still prominently featured because they know better than to throw out the thing people actually know them for) but yeah I would say it's a pretty bad leading indicator

Show thread

Gregory P. Smith (he/him)

🚲🦝

Jan 26

@glyph @jacob The hackerone AI pivot makes sense to me. There is a lot of value in automating so much of that work now that we can. Anyone seeking bounties is already doing the same.