daniel:// stenberg://
Early anecdotal data: turning off the bug-bounty may not make much difference... 😱
Feb 4 at 12:07pmWeb
Show threadOb ServerFeb 4
@bagder they do it for the love of the game 😂
Show threadbuheratorFeb 4
@bagder People probably pay less attention than you think (this is a general rule of thumb of mine), they may still assume there is monetary reward even without H1. IMO you should give it some time.
Show threaddaniel:// stenberg://Feb 4
@buherator yes, we need to give this time to settle in so this is for sure not a certain observation just yet
Show threadGina HäußgeFeb 4
@buherator @bagder I never even had a bug bounty for OctoPrint and yet I get slop (or crap) reports and beg bounty mails. But I used to be forced into huntr.dev, which at it's start handed out money for accepted issues in open source projects, and I slid into the CTO's DMs to get out of there as that definitely increased the amount of crap. So from my experience, not having a bounty program doesn't offer full protection against slop DDOS attacks, but it certainly helps long term.
Show threadOxyte 🥴🥴🥴🥴🥴Feb 4
@foosel @buherator @bagder I don't know whether "beg bounty" is a typo, but it's funny
Show threadspinnyspinlockFeb 4
@oxyte @foosel @buherator @bagder https://www.troyhunt.com/beg-bounties/
Beg Bounties

When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago [https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/] , I had a nightmare of a time getting in touch with the company. They'd left a MongoDB instance exposed to the public without a password and someone

Troy Hunt
Show threadGina HäußgeFeb 4
@buherator @bagder @oxyte Not a typo, definition see other reply 😉
Show threadOxyte 🥴🥴🥴🥴🥴Feb 4
@foosel @buherator @bagder Read it already. You learn something new everyday, huh
Show threadGina HäußgeFeb 4

@oxyte @buherator @bagder Be glad you learned about it this way and not by being on the receiving end of it, repeatedly...

I actually have a growing email filter that's now 11 addresses long for one and the same guy who keeps spamming my mail account with generic AF security reports about "the application" every other week. I tried talking to him in the beginning, linked to OctoPrint's security policy, explained that there's no bounty. No response, just more "reports". Now straight to spam.

Show threadutzerFeb 4
@bagder I did not follow this very closely, but my optimistic approach would that that the AI bots still come in because they did not yet find the information that the bug bounty was discontinued. Maybe it some humans need to remove it from a list of go to repositories?
Show threadckFeb 4
@bagder I'd guess people are still out for the credibility, trying to take a shortcut instead of playing the long game.
It's not that much different from people using AI to pretend they are skilled / capable in job interviews.
Show threadAlerta! Alerta!Feb 4
@bagder Chances are that the "security researcher factories" have not yet internalized that there is no moneyx to be made from cURL any more...
Show threadFun IlrysFeb 4

@bagder Maybe give it some time until the human behind them get the information? 🤣

P.S.: Your closing keynote at FOSDEM was very inspiring - as a fellow FOSS contributor & maintainer (at my "little" scale). Thank you!

Show threadAnders LindqvistFeb 4
@bagder Time for reverse bug bounty!
Show threadLFeb 4
@bagder I guess some people/groups really want to be able to say they spotted some vulnerabilities in curl to boost their reputation 🤷‍♂️
Show threadMichal ČihařFeb 4
@bagder We never had a bounty program for @weblate and still we get quite some AI slop security reports. In addition, we also get questions on whether we will have a bounty program from the people who submitted AI slop.
Show threadChristoph HeissFeb 4
@bagder Probably need to wait for the next round of models to ingest that information, that the bug-bounty program is no more. Unfortunately.
Show threadadingbatponder  👾Feb 4
@bagder Sorry to hear that. Is it a compliment to be so bugged all the time? I imagine for some people knowing any single one other person on the planet is remotely interested (for whatever reason) in their code is quite a compliment. Knowing hundreds are at it is annoying (as your talk said) but if no-one at all reported anything, would that be far worse?
Show threadNeonkAaaFeb 4
@bagder The next step is: create a bot that creates a patch with a hidden issue, use another bot to find this issue, …, PROFIT!
Show threadTomas VondraFeb 4
@bagder Maybe try moving in the opposite direction, then? If going 1 -> 0 did not work, maybe going 1 -> 2 will fix it?
Show threadspinnyspinlockFeb 4

@bagder even before the LLM craze, people were spamming security contacts. If it keeps being a problem you could require reports to be PGO encrypted (assuming it's email).

Of course, this depends on whether you are okay with causing friction to legitimate reporters - I always looked for a PGP key when reporting but n-1 sample size.

Show threadAndrew WipplerFeb 4
@bagder Sounds like someone in AI is out to get you.