daniel:// stenberg://
Switching away from Hackerone is not a guarantee... Here we go.
Feb 4 at 9:58amWeb
Show threaddaniel:// stenberg://Feb 4

George,

This was pure stupidity from your part (including your AI) and was nothing but rude and pointless.

Please never contact us again.

Show threaddaniel:// stenberg://Feb 4

the guy and his AI found three uses of memcmp() in TLS code and insisted it was a "CRITICAL" side-channel security vulnerability.

A 2-second check of those three uses told us it was not real.

byebye George

Show threadKlaus FrankFeb 4

@bagder

But memcmp is evil /s

*insert child screaming and shitting all over the ceiling picture here*

Show threadGina HäußgeFeb 4
@bagder byebye George! 👋
Show threadAris Adamantiadis 💲PaidFeb 4
@bagder we received a CVSS 7.5 DoS report because an invalid packet may trigger a int underflow. The packet parsing code then refuses to handle a 4GB packet and closes the session gracefully. The report was entirely AI generated.
Show threadRenard Feb 4
@bagder weirdest drinking game ever, too
Show threadGregoryFeb 4
@bagder so not as unsloppable as I thought :(
Show threadHywel MallettFeb 4
@bagder We wouldn’t want you to be bored now, would we?
Show threadRev. Johnny HealeyFeb 4
@bagder Have you considered a reverse bug bounty where users pay to submit reports? It could be a good funding model.
Show threadkatlynFeb 4
@rev_null @bagder that's something that was mentioned in this blog post, and it mentions a few reasons why that approach wasn't chosen right now.
The end of the curl bug-bounty

tldr: an attempt to reduce the terror reporting. There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. After having had a few half-baked previous takes, in April 2019 we kicked off the first real curl bug-bounty with the help of Hackerone, and while it stumbled a bit at first … Continue reading The end of the curl bug-bounty →

daniel.haxx.se